MSRPC
Nmap discovered a MSRPC server on the target ports 135 and 593
The running service is Microsoft Windows RPC
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ rpcclient $IP -N -U ''
rpcclient $> lsaenumsid
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumprinters
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> lsaquery
domain name: SEARCH
domain sid: S-1-5-21-271492789-1610487937-1871574529
rpcclient $> netshareenumall
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> dsroledominfo
Machine Role = [5]
Directory Service is running.
Domain is in native mode.
rpcclient $>The target MSRPC service allows anonymous access.
While I was able to learn the domain SID, it requires authentication to further enumerate
domain sid: S-1-5-21-271492789-1610487937-1871574529
impacket-rpcdump
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ impacket-rpcdump $IP
Impacket v0.12.0.dev1+20231130.165011.d370e63 - Copyright 2023 Fortra
[*] Retrieving endpoint list from 10.10.11.129
Protocol: [MS-RSP]: Remote Shutdown Protocol
Provider: wininit.exe
UUID : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0
Bindings:
ncacn_ip_tcp:10.10.11.129[49664]
ncalrpc:[WindowsShutdown]
ncacn_np:\\RESEARCH[\PIPE\InitShutdown]
ncalrpc:[WMsgKRpc07DC20]
Protocol: N/A
Provider: winlogon.exe
UUID : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0
Bindings:
ncalrpc:[WindowsShutdown]
ncacn_np:\\RESEARCH[\PIPE\InitShutdown]
ncalrpc:[WMsgKRpc07DC20]
ncalrpc:[WMsgKRpc07F681]
Protocol: N/A
Provider: sysntfy.dll
UUID : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
Bindings:
ncalrpc:[LRPC-b63a7a7f824276a766]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-2cc5f39d4a07c9458c]
ncalrpc:[LRPC-f62ef54b4cb3dc9b8a]
ncalrpc:[senssvc]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: N/A
Provider: N/A
UUID : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0
Bindings:
ncalrpc:[csebpub]
ncalrpc:[LRPC-3eb8e1966d8f85f393]
ncalrpc:[LRPC-1d40070578927aadfb]
ncalrpc:[LRPC-91fa7cb066002c7dcf]
ncalrpc:[actkernel]
ncalrpc:[umpo]
ncalrpc:[LRPC-1d40070578927aadfb]
ncalrpc:[LRPC-91fa7cb066002c7dcf]
ncalrpc:[actkernel]
ncalrpc:[umpo]
ncalrpc:[LRPC-91fa7cb066002c7dcf]
ncalrpc:[actkernel]
ncalrpc:[umpo]
ncalrpc:[LRPC-d5383894f409501439]
Protocol: N/A
Provider: N/A
UUID : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0
Bindings:
ncalrpc:[LRPC-3eb8e1966d8f85f393]
ncalrpc:[LRPC-1d40070578927aadfb]
ncalrpc:[LRPC-91fa7cb066002c7dcf]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0
Bindings:
ncalrpc:[LRPC-1d40070578927aadfb]
ncalrpc:[LRPC-91fa7cb066002c7dcf]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: nsisvc.dll
UUID : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings:
ncalrpc:[LRPC-c25d0d33b264f01df7]
Protocol: N/A
Provider: dhcpcsvc6.dll
UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings:
ncalrpc:[dhcpcsvc6]
ncalrpc:[dhcpcsvc]
Protocol: N/A
Provider: dhcpcsvc.dll
UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings:
ncalrpc:[dhcpcsvc]
Protocol: [MS-EVEN6]: EventLog Remoting Protocol
Provider: wevtsvc.dll
UUID : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings:
ncacn_ip_tcp:10.10.11.129[49665]
ncacn_np:\\RESEARCH[\pipe\eventlog]
ncalrpc:[eventlog]
Protocol: N/A
Provider: gpsvc.dll
UUID : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
Bindings:
ncalrpc:[LRPC-4b99e8cb43a3854eee]
Protocol: N/A
Provider: N/A
UUID : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0
Bindings:
ncacn_ip_tcp:10.10.11.129[49666]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\RESEARCH[\PIPE\atsvc]
ncalrpc:[LRPC-ac34fdcf77dbd5ec92]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: schedsvc.dll
UUID : 86D35949-83C9-4044-B424-DB363231FD0C v1.0
Bindings:
ncacn_ip_tcp:10.10.11.129[49666]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\RESEARCH[\PIPE\atsvc]
ncalrpc:[LRPC-ac34fdcf77dbd5ec92]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0
Bindings:
ncacn_np:\\RESEARCH[\PIPE\atsvc]
ncalrpc:[LRPC-ac34fdcf77dbd5ec92]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0
Bindings:
ncacn_np:\\RESEARCH[\PIPE\atsvc]
ncalrpc:[LRPC-ac34fdcf77dbd5ec92]
Protocol: N/A
Provider: schedsvc.dll
UUID : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0
Bindings:
ncalrpc:[LRPC-ac34fdcf77dbd5ec92]
Protocol: N/A
Provider: N/A
UUID : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
Bindings:
ncacn_np:\\RESEARCH[\PIPE\wkssvc]
ncalrpc:[LRPC-cabaadd51cb88f69ff]
Protocol: N/A
Provider: N/A
UUID : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
Bindings:
ncalrpc:[LRPC-cabaadd51cb88f69ff]
Protocol: N/A
Provider: N/A
UUID : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
Bindings:
ncalrpc:[LRPC-cabaadd51cb88f69ff]
Protocol: N/A
Provider: MPSSVC.dll
UUID : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-026403755c7c69f689]
ncalrpc:[LRPC-3fc169fdda3747027c]
ncalrpc:[LRPC-e88961988dc82809e9]
ncalrpc:[LRPC-ffa78dc382ebe5e4e5]
Protocol: N/A
Provider: N/A
UUID : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-3fc169fdda3747027c]
ncalrpc:[LRPC-e88961988dc82809e9]
ncalrpc:[LRPC-ffa78dc382ebe5e4e5]
Protocol: N/A
Provider: MPSSVC.dll
UUID : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-e88961988dc82809e9]
ncalrpc:[LRPC-ffa78dc382ebe5e4e5]
Protocol: N/A
Provider: BFE.DLL
UUID : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings:
ncalrpc:[LRPC-ffa78dc382ebe5e4e5]
Protocol: N/A
Provider: N/A
UUID : 3473DD4D-2E88-4006-9CBA-22570909DD10 v5.1 WinHttp Auto-Proxy Service
Bindings:
ncalrpc:[29b93080-547a-4e55-bfab-7c4299de00e1]
ncalrpc:[LRPC-e87f8d3af24d31e947]
Protocol: N/A
Provider: N/A
UUID : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0
Bindings:
ncalrpc:[LRPC-426d7da1fddb7587b0]
ncalrpc:[LRPC-d5383894f409501439]
Protocol: N/A
Provider: N/A
UUID : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs
Bindings:
ncalrpc:[OLE12625CA5FE72596C6712B5FD2D3C]
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-75fa243ca0388e7560]
Protocol: N/A
Provider: N/A
UUID : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint
Bindings:
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-75fa243ca0388e7560]
Protocol: N/A
Provider: N/A
UUID : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint
Bindings:
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-75fa243ca0388e7560]
Protocol: N/A
Provider: iphlpsvc.dll
UUID : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
Bindings:
ncalrpc:[LRPC-75fa243ca0388e7560]
Protocol: N/A
Provider: N/A
UUID : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
Bindings:
ncalrpc:[LRPC-215eb5915800de4ca7]
ncalrpc:[OLE929661D6827E645694AF404B1A47]
Protocol: N/A
Provider: N/A
UUID : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
Bindings:
ncalrpc:[LRPC-215eb5915800de4ca7]
ncalrpc:[OLE929661D6827E645694AF404B1A47]
Protocol: N/A
Provider: N/A
UUID : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_ip_tcp:10.10.11.129[49678]
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: N/A
Provider: N/A
UUID : 8FB74744-B2FF-4C00-BE0D-9EF9A191FE1B v1.0 Ngc Pop Key Service
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_ip_tcp:10.10.11.129[49678]
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: N/A
Provider: N/A
UUID : B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86 v2.0 KeyIso
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_ip_tcp:10.10.11.129[49678]
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: N/A
Provider: efssvc.dll
UUID : 04EEB297-CBF4-466B-8A2A-BFD6A2F10BBA v1.0 EFSK RPC Interface
Bindings:
ncacn_np:\\RESEARCH[\pipe\efsrpc]
ncalrpc:[LRPC-6631a58d78f7fa5bc0]
Protocol: N/A
Provider: efssvc.dll
UUID : DF1941C5-FE89-4E79-BF10-463657ACF44D v1.0 EFS RPC Interface
Bindings:
ncacn_np:\\RESEARCH[\pipe\efsrpc]
ncalrpc:[LRPC-6631a58d78f7fa5bc0]
Protocol: [MS-NRPC]: Netlogon Remote Protocol
Provider: netlogon.dll
UUID : 12345678-1234-ABCD-EF00-01234567CFFB v1.0
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_ip_tcp:10.10.11.129[49678]
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: [MS-RAA]: Remote Authorization API Protocol
Provider: N/A
UUID : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_ip_tcp:10.10.11.129[49678]
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
ncalrpc:[NETLOGON_LRPC]
ncacn_ip_tcp:10.10.11.129[49678]
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol
Provider: samsrv.dll
UUID : 12345778-1234-ABCD-EF00-0123456789AC v1.0
Bindings:
ncacn_ip_tcp:10.10.11.129[49678]
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote
Provider: lsasrv.dll
UUID : 12345778-1234-ABCD-EF00-0123456789AB v0.0
Bindings:
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol
Provider: ntdsai.dll
UUID : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
Bindings:
ncacn_np:\\RESEARCH[\pipe\bd4be72762a5b8bf]
ncacn_http:10.10.11.129[49677]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE9A99764BC712828C0562802B0B3A]
ncacn_ip_tcp:10.10.11.129[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\RESEARCH[\pipe\lsass]
Protocol: N/A
Provider: N/A
UUID : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
Bindings:
ncalrpc:[LRPC-e742c118dacb184955]
Protocol: N/A
Provider: srvsvc.dll
UUID : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings:
ncalrpc:[LRPC-e742c118dacb184955]
Protocol: N/A
Provider: N/A
UUID : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
Bindings:
ncalrpc:[LRPC-db1aa866b78b46dfa9]
Protocol: N/A
Provider: sysmain.dll
UUID : B58AA02E-2884-4E97-8176-4EE06D794184 v1.0
Bindings:
ncalrpc:[LRPC-4a99b54aebcd667596]
Protocol: N/A
Provider: IKEEXT.DLL
UUID : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
Bindings:
ncalrpc:[LRPC-89b47716a7d56562f4]
Protocol: [MS-SCMR]: Service Control Manager Remote Protocol
Provider: services.exe
UUID : 367ABB81-9844-35F1-AD32-98F038001003 v2.0
Bindings:
ncacn_ip_tcp:10.10.11.129[49682]
Protocol: N/A
Provider: N/A
UUID : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0
Bindings:
ncalrpc:[LRPC-b577a2bc68ce6b5aa3]
Protocol: N/A
Provider: N/A
UUID : 98CD761E-E77D-41C8-A3C0-0FB756D90EC2 v1.0
Bindings:
ncalrpc:[LRPC-dcce81527d43f9d73e]
Protocol: N/A
Provider: N/A
UUID : D22895EF-AFF4-42C5-A5B2-B14466D34AB4 v1.0
Bindings:
ncalrpc:[LRPC-dcce81527d43f9d73e]
Protocol: N/A
Provider: N/A
UUID : E38F5360-8572-473E-B696-1B46873BEEAB v1.0
Bindings:
ncalrpc:[LRPC-dcce81527d43f9d73e]
Protocol: N/A
Provider: N/A
UUID : 95095EC8-32EA-4EB0-A3E2-041F97B36168 v1.0
Bindings:
ncalrpc:[LRPC-dcce81527d43f9d73e]
Protocol: N/A
Provider: N/A
UUID : FD8BE72B-A9CD-4B2C-A9CA-4DED242FBE4D v1.0
Bindings:
ncalrpc:[LRPC-dcce81527d43f9d73e]
Protocol: N/A
Provider: N/A
UUID : 4C9DBF19-D39E-4BB9-90EE-8F7179B20283 v1.0
Bindings:
ncalrpc:[LRPC-dcce81527d43f9d73e]
Protocol: [MS-CMPO]: MSDTC Connection Manager:
Provider: msdtcprx.dll
UUID : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0
Bindings:
ncalrpc:[LRPC-5a5508470fa184e0f6]
ncalrpc:[OLED98FE403B50CEC56E800A4A0A566]
ncalrpc:[LRPC-17427760ed773dfd43]
ncalrpc:[LRPC-17427760ed773dfd43]
ncalrpc:[LRPC-17427760ed773dfd43]
Protocol: [MS-ICPR]: ICertPassage Remote Protocol
Provider: certsrv.exe
UUID : 91AE6020-9E3C-11CF-8D7C-00AA00C091BE v0.0
Bindings:
ncacn_ip_tcp:10.10.11.129[49694]
ncacn_np:\\RESEARCH[\pipe\cert]
ncalrpc:[OLE5C9CABC58AC69649680C576CAF4C]
Protocol: N/A
Provider: nrpsrv.dll
UUID : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings:
ncalrpc:[LRPC-1a721ff312792d0490]
Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management
Provider: dns.exe
UUID : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0
Bindings:
ncacn_ip_tcp:10.10.11.129[49741]
Protocol: [MS-FRS2]: Distributed File System Replication Protocol
Provider: dfsrmig.exe
UUID : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings:
ncacn_ip_tcp:10.10.11.129[49781]
ncalrpc:[OLE3E7D06BBD44901657A3FD67932FE]
[*] Received 289 endpoints.impacket-rpcdump discovered a total of 289 RPC endpoints
certsrv.exe is up and running via [MS-ICPR], which indicates that the target system is hosting ADCS
ICertPassage Remote Protocol
The MSRPC endpoint for certsrv.exe plays a crucial role in the Certificate Services architecture in a Windows environment. The certsrv.exe process is responsible for handling certificate-related requests and operations.
here are some key points regarding the role of the msrpc endpoint for certsrv.exe:
- certificate enrollment:
- The MSRPC endpoint allows clients to initiate certificate enrollment requests. Clients, such as computers or users, can connect to this endpoint to request and obtain digital certificates from the Certificate Authority (CA).
- certificate renewal and revocation:
- The endpoint facilitates operations related to certificate renewal and revocation. Clients can interact with certsrv.exe to renew their existing certificates or to request the revocation of a certificate.
- managing certificate templates:
- The MSRPC endpoint is involved in managing certificate templates. Certificate templates define the properties and settings for certificates issued by the CA, and clients can interact with certsrv.exe to request certificates based on specific templates.
- certificate lifecycle operations:
- It supports various certificate lifecycle operations, including issuance, renewal, revocation, and potentially other administrative tasks related to managing certificates within the public key infrastructure (PKI).
- microsoft certificate services protocol (ms-icpr):
- the ms-icpr protocol defines the communication between clients and the Certificate Services server (certsrv.exe) using MSRPC. This protocol outlines the messages and procedures for requesting and managing certificates over RPC.
In summary, the MSRPC endpoint for certsrv.exe provides a communication channel for clients to interact with the Certificate Services server, facilitating the enrollment, renewal, and revocation of digital certificates within a Windows-based PKI. It adheres to the Microsoft RPC protocol for certificate-related operations.
IOXIDResolver
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ python3 ~/Tools/IOXIDResolver.py -t $IP
[*] Retrieving network interface of 10.10.11.129
Address: Research
Address: 10.10.11.129
Address: dead:beef::a950:56b9:6c45:e1ce
Address: dead:beef::20eIOXIDResolver.py returns hostname of the target system as well as those 2 IPv6 addresses associated with AAAA records found earlier