rpcmap.py

Connect to an MSRPC interface using a string binding (e.g., ncacn_ip_tcp:host[port])

$ rpcmap.py [stringbinding]

$ rpcmap.py -brute-uuids [stringbinding]

$ rpcmap.py -brute-opnums [stringbinding]

$ rpcmap.py -brute-versions [stringbinding]

$ rpcmap.py -target-ip [ip_address] [stringbinding]

$ rpcmap.py -auth-rpc [domain]/[username]:[password] [stringbinding]

$ rpcmap.py -hashes-rpc [LMHASH:NTHASH] [stringbinding]

$ rpcmap.py -debug [stringbinding]

rpcmap.py [options] <target>

Example: rpcmap.py -u DOMAIN\\username -p password 192.168.1.100

-h, --help
    Shows the program's help message and exits.

-debug
    Turns on debug output, providing more detailed information during execution.

-v
    Enables verbose output, displaying more details about discovered RPC interfaces.

-nrpc
    Instructs the tool to not use RPC over SMB; attempts RPC over TCP instead.

-k
    Uses Kerberos authentication instead of NTLM. Requires KDC and ticket setup.

-dc-ip
    Specifies the IP address of the Domain Controller for Kerberos authentication.

-domain
    Specifies the domain name to authenticate against.

-username
    Provides the username for authentication.

-password
    Provides the password for authentication.

-hashes
    Provides LM:NT hash for authentication (e.g., 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0').

-port
    Specifies the TCP port to connect to on the target (default is 135 for MSRPC).

rpcmap.py is a Python script included in the popular Impacket library, designed for security professionals and system administrators to enumerate Remote Procedure Call (RPC) endpoints on remote Windows systems. It specifically targets Microsoft RPC (MSRPC) services, which are fundamental to how Windows components and applications communicate across a network. The tool connects to the RPC Endpoint Mapper (typically on TCP port 135) of a target host and queries for registered RPC interfaces.

By leveraging rpcmap.py, users can discover what RPC interfaces are available, their Universal Unique Identifiers (UUIDs), version numbers, and the network protocols (e.g., TCP, Named Pipes, SMB) they use to communicate. This information is crucial for network reconnaissance, identifying potential attack surfaces, and understanding the services running on a target system. It helps in assessing the security posture of a network by revealing active services that might be vulnerable or misconfigured, providing a valuable starting point for further penetration testing or security auditing.

Requires the Python Impacket library to be installed on the system.
Primarily designed for enumerating Microsoft RPC (MSRPC) services on Windows operating systems. It is not suitable for Sun RPC (ONC RPC) services commonly found on Unix/Linux.
Network connectivity to TCP port 135 (and potentially other dynamic RPC ports) on the target is necessary, and firewall rules might block access.
Executing rpcmap.py may generate network traffic patterns that could be detected by network intrusion detection systems (NIDS).
Full enumeration of all RPC services might require valid domain or local administrative credentials on the target host.

The output of rpcmap.py typically lists discovered RPC interfaces with their UUIDs (Universal Unique Identifiers), version numbers, and the endpoint protocols (e.g., ncacn_np for named pipes, ncacn_ip_tcp for TCP). For example:

    UUID: 12345678-1234-ABCD-EF00-0123456789AB, Version: 1.0
        Protocol: ncacn_np, Endpoint: \\PIPE\\epmapper
        Protocol: ncacn_ip_tcp, Endpoint: [135]

This information helps identify the specific services and their reachable endpoints on the target.

rpcmap.py is frequently used in penetration testing and vulnerability assessment to:
1. Identify available MSRPC services that might expose vulnerabilities.
2. Discover undocumented or custom RPC interfaces running on a target.
3. Map the attack surface by understanding how services are exposed (e.g., over named pipes, TCP).
4. Aid in crafting targeted exploits or further enumeration efforts by revealing service details.

rpcmap.py is a component of the open-source Impacket library, which was originally developed by SecureAuth Corp. (now part of Core Security) and is actively maintained by the community. Impacket is a collection of Python classes for programmatic access to network protocols, particularly those used in Windows environments (e.g., SMB, MSRPC, DCE/RPC, Kerberos). rpcmap.py emerged as a dedicated tool within this framework to address the specific need for robust and programmatic RPC endpoint enumeration, a common task in network security assessments and penetration testing. Its development has mirrored the evolving landscape of Windows network protocols and security practices.

rpcclient(1): A command-line tool from the Samba suite used to administer Samba servers and interact with Windows RPC services., nmap(1): A powerful network scanner; it can perform RPC enumeration using various NSE (Nmap Scripting Engine) scripts, such as rpcinfo or msrpc-enum., rpcinfo(8): A command for making RPC calls to an RPC server, primarily used for Sun RPC (ONC RPC) services on Unix-like systems, distinct from the MSRPC services rpcmap.py targets.