rpcdump.py
Dump information from RPC endpoints
TLDR
Dump RPC endpoints using username and password
Dump RPC endpoints using NTLM hashes
Specify a target IP address explicitly (useful if the target name is a NetBIOS name)
Connect to a specific port (default is 135 for RPC Endpoint Mapper)
Enable debug output
SYNOPSIS
rpcdump.py [authentication options] <target>
rpcdump.py -h
PARAMETERS
target
The IP address or hostname of the remote system to query.
-port <destination port>
Specifies the destination TCP port to connect to. The default for RPC endpoint mapper is 135.
-rpc-user <username>
Specifies the username for authentication.
-rpc-pass <password>
Specifies the password for authentication. If not provided, it will be prompted interactively.
-rpc-domain <domain>
Specifies the domain for authentication (e.g., workgroup or FQDN).
-rpc-hash <LM:NT>
Specifies the NTLM hashes (LM and NT) for pass-the-hash authentication. Format: LM_HASH:NT_HASH.
-k
Uses Kerberos authentication. This requires a Kerberos ticket to be already present in the Kerberos ticket cache.
-no-pass
Don't ask for a password. Useful when combined with -k or when no password is required.
-rpc-auth-level <level>
Sets the RPC authentication level. Common levels include RPC_C_AUTHN_LEVEL_NONE, RPC_C_AUTHN_LEVEL_CONNECT, etc. Higher levels provide more security.
-debug
Enables verbose debugging output for troubleshooting connection or protocol issues.
DESCRIPTION
rpcdump.py is a Python script, part of the widely used Impacket framework, designed to enumerate Remote Procedure Call (RPC) endpoints on a target host, typically a Microsoft Windows system. It connects to the target's RPC endpoint mapper (port 135 by default) and requests a list of registered RPC interfaces and services. This provides valuable information for network reconnaissance and security assessments, revealing what services are exposed via RPC on the machine. The script supports various authentication methods, including anonymous access, username/password, NTLM hashes, and Kerberos, allowing it to adapt to different network environments and security configurations. It's a key tool for understanding the RPC attack surface of a system.
CAVEATS
rpcdump.py is primarily designed to target Microsoft Windows systems, as it relies on specific Microsoft RPC protocols. Its effectiveness depends on network connectivity to the target's RPC endpoint mapper (typically TCP port 135) and the absence of blocking firewalls. For comprehensive results, especially on modern systems, authenticated access might be required, as many valuable RPC services are not anonymously accessible. The script requires the Impacket Python library to be installed on the system where it is run.
RPC ENDPOINT MAPPER
The RPC Endpoint Mapper (often listening on TCP port 135) is a service that helps RPC clients find RPC servers. When an RPC server starts, it registers its interfaces and endpoints with the endpoint mapper. rpcdump.py queries this service to discover what RPC services are available and on which ports they are listening.
USE IN PENETRATION TESTING
rpcdump.py is frequently used in the reconnaissance phase of penetration tests to identify potential attack vectors. By revealing the RPC services available on a target, it helps attackers or security auditors understand the system's attack surface and identify services that might be vulnerable to exploits or misconfigurations.
HISTORY
rpcdump.py is an integral part of the Impacket library, a collection of Python classes and scripts for working with network protocols. Developed initially by SecureAuth Corp (now part of Fortra), Impacket gained prominence in the cybersecurity community for its robust implementation of various network protocols, making it an essential tool for penetration testing, red teaming, and security research. The rpcdump.py script specifically addresses the need for detailed RPC service enumeration, evolving with the Impacket framework to support new authentication methods and protocol specifics over time.
SEE ALSO
nmap(1), enum4linux(1), rpcinfo(8), smbclient(1)
