Lucene search

Aleksandar NikolicNMAP:MSRPC-ENUM.NSE

HistoryAug 31, 2012 - 10:00 a.m.

msrpc-enum NSE Script

2012-08-3110:00:54

Aleksandar Nikolic

nmap.org

1917

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information.

As it is using smb library, you can specify optional username and password to use.

Script works much like Microsoft’s rpcdump tool or dcedump tool from SPIKE fuzzer.

Script Arguments

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap &lt;target&gt; --script=msrpc-enum

Script Output

PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
| msrpc-enum:
|
|     uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
|     annotation: DHCP Client LRPC Endpoint
|     ncalrpc: dhcpcsvc
|
|     uuid: 12345678-1234-abcd-ef00-0123456789ab
|     annotation: IPSec Policy agent endpoint
|     ncalrpc: audit
|
|     uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
|     ip_addr: 0.0.0.0
|     annotation: DHCP Client LRPC Endpoint
|     tcp_port: 49153
|
&lt;snip&gt;
|
|     uuid: 12345678-1234-abcd-ef00-0123456789ab
|     annotation: IPSec Policy agent endpoint
|     ncalrpc: securityevent
|
|     uuid: 12345678-1234-abcd-ef00-0123456789ab
|     annotation: IPSec Policy agent endpoint
|_    ncalrpc: protected_storage

Requires

local msrpc = require "msrpc"
local smb = require "smb"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Queries an MSRPC endpoint mapper for a list of mapped
services and displays the gathered information.

As it is using smb library, you can specify optional
username and password to use.

Script works much like Microsoft's rpcdump tool
or dcedump tool from SPIKE fuzzer.
]]
---
-- @usage nmap <target> --script=msrpc-enum
--
-- @output
-- PORT    STATE SERVICE      REASON
-- 445/tcp open  microsoft-ds syn-ack
--
-- Host script results:
-- | msrpc-enum:
-- |
-- |     uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
-- |     annotation: DHCP Client LRPC Endpoint
-- |     ncalrpc: dhcpcsvc
-- |
-- |     uuid: 12345678-1234-abcd-ef00-0123456789ab
-- |     annotation: IPSec Policy agent endpoint
-- |     ncalrpc: audit
-- |
-- |     uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
-- |     ip_addr: 0.0.0.0
-- |     annotation: DHCP Client LRPC Endpoint
-- |     tcp_port: 49153
-- |
-- <snip>
-- |
-- |     uuid: 12345678-1234-abcd-ef00-0123456789ab
-- |     annotation: IPSec Policy agent endpoint
-- |     ncalrpc: securityevent
-- |
-- |     uuid: 12345678-1234-abcd-ef00-0123456789ab
-- |     annotation: IPSec Policy agent endpoint
-- |_    ncalrpc: protected_storage
--
-- @xmloutput
-- -snip-
-- <table>
-- <elem key="uuid">c100beab-d33a-4a4b-bf23-bbef4663d017</elem>
-- <elem key="annotation">wcncsvc.wcnprpc</elem>
-- <elem key="ncalrpc">wcncsvc.wcnprpc</elem>
-- </table>
-- <table>
-- <elem key="uuid">6b5bdd1e-528c-422c-af8c-a4079be4fe48</elem>
-- <elem key="annotation">Remote Fw APIs</elem>
-- <elem key="tcp_port">49158</elem>
-- <elem key="ip_addr">0.0.0.0</elem>
-- </table>
-- <table>
-- <elem key="uuid">12345678-1234-abcd-ef00-0123456789ab</elem>
-- <elem key="annotation">IPSec Policy agent endpoint</elem>
-- <elem key="tcp_port">49158</elem>
-- <elem key="ip_addr">0.0.0.0</elem>
-- </table>
-- -snip-

author = "Aleksandar Nikolic"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe","discovery"}

hostrule = function(host)
  return smb.get_port(host) ~= nil
end

action = function(host,port)
  local status, smbstate
  status, smbstate = msrpc.start_smb(host,msrpc.EPMAPPER_PATH,true)
  if(status == false) then
    stdnse.debug1("SMB: " .. smbstate)
    return false, smbstate
  end
  local bind_result,epresult -- bind to endpoint mapper service
  status, bind_result = msrpc.bind(smbstate,msrpc.EPMAPPER_UUID, msrpc.EPMAPPER_VERSION, nil)
  if(status == false) then
    msrpc.stop_smb(smbstate)
    stdnse.debug1("SMB: " .. bind_result)
    return false, bind_result
  end
  local results = {}
  status, epresult = msrpc.epmapper_lookup(smbstate,nil) -- get the initial handle
  if not status then
    stdnse.debug1("SMB: " .. epresult)
    return false, epresult

  end
  local handle = epresult.new_handle
  epresult.new_handle = nil
  table.insert(results,epresult)

  while not (epresult == nil) do
    status, epresult = msrpc.epmapper_lookup(smbstate,handle) -- get next result until there are no more
    if not status then
      break
    end
    epresult.new_handle = nil
    table.insert(results,epresult)
  end
  return results
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Related for NMAP:MSRPC-ENUM.NSE

nmap199