9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information.
As it is using smb library, you can specify optional username and password to use.
Script works much like Microsoft’s rpcdump tool or dcedump tool from SPIKE fuzzer.
See the documentation for the smb library.
See the documentation for the smbauth library.
nmap <target> --script=msrpc-enum
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
Host script results:
| msrpc-enum:
|
| uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
| annotation: DHCP Client LRPC Endpoint
| ncalrpc: dhcpcsvc
|
| uuid: 12345678-1234-abcd-ef00-0123456789ab
| annotation: IPSec Policy agent endpoint
| ncalrpc: audit
|
| uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
| ip_addr: 0.0.0.0
| annotation: DHCP Client LRPC Endpoint
| tcp_port: 49153
|
<snip>
|
| uuid: 12345678-1234-abcd-ef00-0123456789ab
| annotation: IPSec Policy agent endpoint
| ncalrpc: securityevent
|
| uuid: 12345678-1234-abcd-ef00-0123456789ab
| annotation: IPSec Policy agent endpoint
|_ ncalrpc: protected_storage
local msrpc = require "msrpc"
local smb = require "smb"
local stdnse = require "stdnse"
local table = require "table"
description = [[
Queries an MSRPC endpoint mapper for a list of mapped
services and displays the gathered information.
As it is using smb library, you can specify optional
username and password to use.
Script works much like Microsoft's rpcdump tool
or dcedump tool from SPIKE fuzzer.
]]
---
-- @usage nmap <target> --script=msrpc-enum
--
-- @output
-- PORT STATE SERVICE REASON
-- 445/tcp open microsoft-ds syn-ack
--
-- Host script results:
-- | msrpc-enum:
-- |
-- | uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
-- | annotation: DHCP Client LRPC Endpoint
-- | ncalrpc: dhcpcsvc
-- |
-- | uuid: 12345678-1234-abcd-ef00-0123456789ab
-- | annotation: IPSec Policy agent endpoint
-- | ncalrpc: audit
-- |
-- | uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
-- | ip_addr: 0.0.0.0
-- | annotation: DHCP Client LRPC Endpoint
-- | tcp_port: 49153
-- |
-- <snip>
-- |
-- | uuid: 12345678-1234-abcd-ef00-0123456789ab
-- | annotation: IPSec Policy agent endpoint
-- | ncalrpc: securityevent
-- |
-- | uuid: 12345678-1234-abcd-ef00-0123456789ab
-- | annotation: IPSec Policy agent endpoint
-- |_ ncalrpc: protected_storage
--
-- @xmloutput
-- -snip-
-- <table>
-- <elem key="uuid">c100beab-d33a-4a4b-bf23-bbef4663d017</elem>
-- <elem key="annotation">wcncsvc.wcnprpc</elem>
-- <elem key="ncalrpc">wcncsvc.wcnprpc</elem>
-- </table>
-- <table>
-- <elem key="uuid">6b5bdd1e-528c-422c-af8c-a4079be4fe48</elem>
-- <elem key="annotation">Remote Fw APIs</elem>
-- <elem key="tcp_port">49158</elem>
-- <elem key="ip_addr">0.0.0.0</elem>
-- </table>
-- <table>
-- <elem key="uuid">12345678-1234-abcd-ef00-0123456789ab</elem>
-- <elem key="annotation">IPSec Policy agent endpoint</elem>
-- <elem key="tcp_port">49158</elem>
-- <elem key="ip_addr">0.0.0.0</elem>
-- </table>
-- -snip-
author = "Aleksandar Nikolic"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe","discovery"}
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host,port)
local status, smbstate
status, smbstate = msrpc.start_smb(host,msrpc.EPMAPPER_PATH,true)
if(status == false) then
stdnse.debug1("SMB: " .. smbstate)
return false, smbstate
end
local bind_result,epresult -- bind to endpoint mapper service
status, bind_result = msrpc.bind(smbstate,msrpc.EPMAPPER_UUID, msrpc.EPMAPPER_VERSION, nil)
if(status == false) then
msrpc.stop_smb(smbstate)
stdnse.debug1("SMB: " .. bind_result)
return false, bind_result
end
local results = {}
status, epresult = msrpc.epmapper_lookup(smbstate,nil) -- get the initial handle
if not status then
stdnse.debug1("SMB: " .. epresult)
return false, epresult
end
local handle = epresult.new_handle
epresult.new_handle = nil
table.insert(results,epresult)
while not (epresult == nil) do
status, epresult = msrpc.epmapper_lookup(smbstate,handle) -- get next result until there are no more
if not status then
break
end
epresult.new_handle = nil
table.insert(results,epresult)
end
return results
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%