SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Lateral Movement #Technologies #MS-RPC

MS-RPC (Microsoft Remote Procedure Call) for Lateral Movement

MS-RPC supports a number of interfaces through which the administrator is able to perform various tasks on the system remotely. For example, some of them can create processes and execute administrator commands. We can use this for lateral movement.

There are two basic methods of interacting with RPC interfaces (each interface can support a different method):

  • ncacn_ip_tcp - access via TCP ports. These protocols (e.g. MS-WMI) use dynamically assigned (in range of port 49152 - 65535) or pre-defined ports to communicate with them. Usually, they are handled by firewall separately and filtered by default.
  • ncacn_np - access via named pipes via SMB IPC$ share. These protocols (e.g. MS-SCMR) usually are not handled by firewall separately because they use standard SMB named pipes. By default they are not filtered separately but there is no access to them if SMB is filtered.

Allow SMB on firewall with PowerShell

To use RPC protocols based on named pipes IPC$ SMB share must be visible from the network. By default on a Windows client, the firewall blocks incoming SMB connections. We can change this if we have administrative access to the machine.

# Allow SMB on firewall
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | Where-Object {$_.Name -like "*SMB-In*"} | Enable-NetFirewallRule

NOTICE: Windows automatically allows SMB access through the firewall if you share at least one folder.

References

Children

MS-RPC
MS-DCOM
MS-RRP
MS-SCMR
MS-TSCH
MS-WMI