You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/network-services-pentesting/135-pentesting-msrpc.md
+63-5Lines changed: 63 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -89,6 +89,68 @@ It is possible to execute remote code on a machine, if the credentials of a vali
89
89
90
90
The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
91
91
92
+
## Automated Fuzzing of MSRPC Interfaces
93
+
94
+
MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**.
# Or crawl the whole %SystemRoot%\System32 directory
106
+
Get-RpcServerData -OutPath .\output
107
+
```
108
+
109
+
`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`.
110
+
111
+
### 2. Run the fuzzer
112
+
113
+
```powershell
114
+
'.\output\rpcServerData.json' |
115
+
Invoke-RpcFuzzer -OutPath .\output `
116
+
-MinStrLen 100 -MaxStrLen 1000 `
117
+
-MinIntSize 9999 -MaxIntSize 99999
118
+
```
119
+
120
+
Relevant options:
121
+
122
+
*`-MinStrLen` / `-MaxStrLen` – size range for generated strings
123
+
*`-MinIntSize` / `-MaxIntSize` – value range for mutated integers (useful for overflow testing)
124
+
*`-Sorted` – execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths)
125
+
126
+
The fuzzer implements 2 strategies:
127
+
128
+
1.**Default fuzzer** – random primitive values + default instances for complex types
129
+
2.**Sorted fuzzer** – dependency-aware ordering (see `docs/Procedure dependency design.md`)
130
+
131
+
Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files:
132
+
133
+
*`allowed.json` – call succeeded and returned data
134
+
*`denied.json` – server responded with *Access Denied*
PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the open–source *NtObjectManager* module. Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds – no IDL, MIDL or manual unmarshalling required.
Authentication (Kerberos / NTLM) and encryption levels (`PacketIntegrity`, `PacketPrivacy`, …) can be supplied directly via the `Connect-RpcClient` cmdlet – ideal for **bypassing Security Descriptors** that protect high-privilege named pipes.
139
201
140
-
---
141
-
142
202
### Context-Aware RPC Fuzzing (MS-RPC-Fuzzer)
143
203
144
204
Static interface knowledge is great, but what you really want is **coverage-guided fuzzing** that understands *context handles* and complex parameter chains. The open-source **MS-RPC-Fuzzer** project automates exactly that workflow:
@@ -163,18 +223,16 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
163
223
164
224
> ⚠️ Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**. Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*.
165
225
166
-
---
167
226
168
227
## References
169
228
170
229
-[Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
0 commit comments