LinuxCommandLibrary

rpcdump.py

Dump information from RPC endpoints

TLDR

Dump RPC endpoints using username and password

$ rpcdump.py [domain]/[username]:[password]@[target]
copy

Dump RPC endpoints using NTLM hashes
$ rpcdump.py -hashes [LMHASH]:[NTHASH] [domain]/[username]:[password]@[target]
copy

Specify a target IP address explicitly (useful if the target name is a NetBIOS name)
$ rpcdump.py -target-ip [target_ip] [domain]/[username]:[password]@[target]
copy

Connect to a specific port (default is 135 for RPC Endpoint Mapper)
$ rpcdump.py -port [port_number] [domain]/[username]:[password]@[target]
copy

Enable debug output
$ rpcdump.py -debug [domain]/[username]:[password]@[target]
copy

SYNOPSIS

rpcdump.py [options] target

PARAMETERS

-h
    Show help message and exit.

-d
    Dump the whole interface definition using the IDL parser.

-u username
    Username to authenticate with.

-p password
    Password to authenticate with.

-H domain
    Domain to authenticate with.

-hashes LM:NTLM
    NTLM hashes, format is LM:NTLM

-port port
    Port to connect to (default: 135)

-protocol protocol
    Protocol to use (ncacn_ip_tcp, ncadg_ip_udp, ncacn_np, etc.) (default: ncacn_ip_tcp)

-spn SPN
    Service Principal Name (SPN) to use for authentication.

-debug
    Enable debug output.

DESCRIPTION

rpcdump.py is a Python script used to interact with and extract information from RPC (Remote Procedure Call) endpoints. It primarily targets Microsoft's MSRPC protocol and allows users to enumerate services, interfaces, and methods exposed by RPC servers. This is useful for vulnerability assessment, penetration testing, and understanding the functionality offered by networked applications. The script establishes a connection to the RPC endpoint and uses various techniques to query the server for its exposed interfaces and their associated UUIDs. It then attempts to resolve these UUIDs to meaningful names, such as service names or interface descriptions. rpcdump.py often supports various authentication methods to interact with secured RPC endpoints. By examining the output of rpcdump.py, security professionals can identify potential weaknesses in RPC server configurations, discover undocumented services, and assess the attack surface of a target system.

CAVEATS

Requires Impacket library to be installed. Authentication may fail if the target system requires specific security settings or if incorrect credentials are provided. Some RPC endpoints may not be accessible without proper permissions.

<B>AUTHENTICATION</B>

rpcdump.py supports several authentication mechanisms, including username/password, NTLM hashes, and Kerberos. The choice of authentication method depends on the target system's configuration.

<B>INTERPRETING THE OUTPUT</B>

The output of rpcdump.py lists the RPC interfaces exposed by the target. Each interface is identified by a UUID. The script attempts to resolve these UUIDs to known names. Unresolved UUIDs may indicate custom or less common RPC services.

SEE ALSO

nmap(1), smbclient(1)

Copied to clipboard