Distributed Computing Environment/Remote Procedure Call (DCE/RPC) DCE/RPC service enumeration :
It was found that the TCP ports 135 is open. TCP port 135 runs RPC services so an adversary can enumerate the services running on that port using metasploit which reveal information of critical services running on the server like SAM access (samr) (lsass.exe) service which runs on samr interface which is used to communicate with the SAM (Security Account Manager) subsystem.
RPC :
Microsoft Remote Procedure Call (RPC) is a powerful technology for creating distributed client/server programs. RPC is an interprocess communication technique that allows client and server software to communicate. The Microsoft RPC facility is compatible with the Open Group’s Distributed Computing Environment (DCE) specification for remote procedure calls and is interoperable with other DCE-based RPC systems, such as those for HP-UX and IBM AIX UNIX–based operating systems .
SAM(Security Access Manager):
The Security Account Manager (SAM), often Security Accounts Manager, is a database file[1] in Windows XP, Windows Vista, and Windows 7 that stores users passwords. It can be used to authenticate local and remote users
SAMR Interface:
The samr interface is used to communicate with the SAM (Security Account Manager) subsystem.
lsass.exe:
"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. This is performed by using authentication packages such as the default, Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token.
2.Due to the availability of this port we are able to enumerate the services running on that port using some of the exploits .
Steps to reproduce:
1.Open Metasploit in kali linux
2.Type use auxiliary/scanner/dcerpc/endpoint_mapper
Endpoint_mapper:Part of the RPC subsystem that resolves dynamic endpoints in response to client requests and, in some configurations, dynamically assigns endpoints to servers.The endpoint_mapper module queries the EndPoint Mapper service of a remote system to determine what services are available .
3.Type show options to check what information is needed to load in order to run our exploit
4.Set RHOSTs as 52.76.233.247 (Remote host) and then type run
5.Observe
6.Based on the MSRPC DCE-RPC IFIDs (f12345778-1234-abcd-ef00-0123456789ac,906b0ce0-c70b-1067-b317-00dd010662da) mentioned in the screenshot the target appears potentially vulnerable to MS00-070, CVE-2000-0544, CVE-2001-0662, CVE-2002-1561, CVE-2003-0533, CVE-2003-0818, CVE-2004-0894 .
Distributed Computing Environment/Remote Procedure Call (DCE/RPC) DCE/RPC service enumeration :
2.Due to the availability of this port we are able to enumerate the services running on that port using some of the exploits .
Steps to reproduce: 1.Open Metasploit in kali linux 2.Type use auxiliary/scanner/dcerpc/endpoint_mapper Endpoint_mapper:Part of the RPC subsystem that resolves dynamic endpoints in response to client requests and, in some configurations, dynamically assigns endpoints to servers.The endpoint_mapper module queries the EndPoint Mapper service of a remote system to determine what services are available .
3.Type show options to check what information is needed to load in order to run our exploit
4.Set RHOSTs as 52.76.233.247 (Remote host) and then type run
5.Observe
6.Based on the MSRPC DCE-RPC IFIDs (f12345778-1234-abcd-ef00-0123456789ac,906b0ce0-c70b-1067-b317-00dd010662da) mentioned in the screenshot the target appears potentially vulnerable to MS00-070, CVE-2000-0544, CVE-2001-0662, CVE-2002-1561, CVE-2003-0533, CVE-2003-0818, CVE-2004-0894 .