From c12fffb595b91952df410af5190acfd3fa87704f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 15 Jul 2025 18:31:32 +0000 Subject: [PATCH] Add content from: MS-RPC Fuzzer --- .../135-pentesting-msrpc.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md index 8e58a3f7dc0..12351c91e6a 100644 --- a/src/network-services-pentesting/135-pentesting-msrpc.md +++ b/src/network-services-pentesting/135-pentesting-msrpc.md @@ -89,11 +89,73 @@ It is possible to execute remote code on a machine, if the credentials of a vali The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port. +## Automated Fuzzing of MSRPC Interfaces + +MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**. + +### 1. Inventory the interfaces + +```powershell +# Import the module (download / git clone first) +Import-Module .\MS-RPC-Fuzzer.psm1 + +# Parse a single binary +Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output + +# Or crawl the whole %SystemRoot%\System32 directory +Get-RpcServerData -OutPath .\output +``` + +`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`. + +### 2. Run the fuzzer + +```powershell +'.\output\rpcServerData.json' | + Invoke-RpcFuzzer -OutPath .\output ` + -MinStrLen 100 -MaxStrLen 1000 ` + -MinIntSize 9999 -MaxIntSize 99999 +``` + +Relevant options: + +* `-MinStrLen` / `-MaxStrLen` – size range for generated strings +* `-MinIntSize` / `-MaxIntSize` – value range for mutated integers (useful for overflow testing) +* `-Sorted` – execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths) + +The fuzzer implements 2 strategies: + +1. **Default fuzzer** – random primitive values + default instances for complex types +2. **Sorted fuzzer** – dependency-aware ordering (see `docs/Procedure dependency design.md`) + +Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files: + +* `allowed.json` – call succeeded and returned data +* `denied.json` – server responded with *Access Denied* +* `error.json` – any other error / crash + +### 3. Visualise with Neo4j + +```powershell +'.\output\allowed.json' | + Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j +``` + +`Import-DataToNeo4j` converts the JSON artefacts into a graph structure where: + +* RPC servers, interfaces and procedures are **nodes** +* Interactions (`ALLOWED`, `DENIED`, `ERROR`) are **relationships** + +Cypher queries can then be used to quickly spot dangerous procedures or to replay the exact chain of calls that preceded a crash. + +⚠️ The fuzzer is *destructive*: expect service crashes and even BSODs – always run it in an isolated VM snapshot. + ## References - [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/) - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/) +- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer) {{#include ../banners/hacktricks-training.md}}