Skip to content

LSA 1: Identify Remote Procedure Call (RPC (TCP 135)) and DCE/RPC

Remote Procedure Call (RPC) is a protocol that enables a program on one computer to request services or execute code on another computer over a network. It abstracts the complexity of communication between systems, allowing applications to invoke functions and procedures remotely, as if they were running locally.

RPC operates over TCP port 135, which is used by the RPC Endpoint Mapper. This service maps client requests to the appropriate server port, ensuring that the correct server application is accessed for the requested service.

Usage:

RPC is critical for facilitating communication between client and server applications in Windows environments. It allows software components to invoke procedures on remote systems, enabling diverse services like Active Directory, File and Printer Sharing, and Windows Management Instrumentation (WMI) to operate across different systems within a network.

In practical terms, RPC is commonly used to execute operations such as querying services, managing system configurations, and accessing remote resources, all of which are vital for networked systems to function cohesively.

Components:

  • RPC Endpoint Mapper:
  • The RPC Endpoint Mapper listens on TCP port 135 and is responsible for directing client requests to the correct server. When a client needs to contact a server for a specific service, the Endpoint Mapper helps the client locate the appropriate RPC service on the server by providing the necessary port information.

  • Ephemeral Ports (49152–65535):

  • After the client connects to the RPC Endpoint Mapper on TCP port 135, it is assigned an ephemeral port (a dynamically assigned temporary port) from the range 49152-65535 to communicate with the service on the server. This range is reserved for outbound and non-persistent connections that help clients access specific services on the server.

DCE/RPC (Distributed Computing Environment/Remote Procedure Call):

  • Description: DCE/RPC is an extension of the RPC protocol that facilitates communication between software components across different platforms and systems, providing a standardized framework for networked applications. It enables the communication of objects and services across different operating systems, ensuring interoperability.

  • Usage: DCE/RPC is particularly used in Windows environments for vital services like Active Directory, Microsoft Exchange Server, and Remote Management Tasks. It supports a wide range of Microsoft services by enabling networked communication that extends beyond the boundaries of a single machine.

  • Features:

  • Platform Independence: DCE/RPC can work across multiple operating systems, ensuring that software components on different platforms can communicate with one another seamlessly.
  • Security: DCE/RPC supports various authentication mechanisms (e.g., Kerberos) and encryption methods, making it suitable for secure communication over untrusted networks. This is especially important for services such as Active Directory, where authentication is critical.

Security Considerations of RPC:

Although RPC is an essential component for many network services in Windows, it has several inherent security risks, especially when TCP port 135 is left exposed. Some known vulnerabilities include:

  1. Endpoint Mapper Promiscuity:

    • The Endpoint Mapper can be queried by attackers to gather information about available services on a server. This information could be exploited to identify potential targets for further attacks, such as remote code execution or service-specific vulnerabilities.
  2. Denial of Service (DoS) on Port 135:

    • TCP port 135 is a common target for Denial of Service (DoS) attacks. By overwhelming the port with excessive traffic, attackers can disrupt RPC functionality, causing systems to become unresponsive.
  3. Service-Specific Attacks:

    • Attackers can exploit RPC to perform service-specific attacks by querying the RPC Endpoint Mapper and identifying vulnerable services. Once identified, these services can be attacked for remote code execution, privilege escalation, or data theft.
  4. Privilege Escalation:

    • Privilege escalation can occur if an attacker gathers sensitive information about the RPC services and exploits flaws in the way Windows handles security, allowing the attacker to gain higher privileges within the system.

Mitigation Strategies:

While RPC is necessary for many Windows operations, there are several measures that can help mitigate associated risks:

  1. Patch Management:

    • Regularly applying security patches and updates ensures that known vulnerabilities in RPC services (such as MSRPC vulnerabilities) are addressed, reducing the risk of exploitation.
  2. Restrict RPC Access:

    • Use firewalls to limit access to TCP port 135 from untrusted sources. By restricting external access to port 135, you can prevent unauthorized RPC requests from reaching your systems.
  3. Network Segmentation:

    • Isolate critical servers and services within a protected network segment. By restricting RPC access to only trusted systems or network zones, you can reduce the attack surface for potential intrusions.
  4. Disable Unnecessary RPC Services:

    • If specific RPC services are not required, they should be disabled to minimize the number of potential attack vectors available to attackers.
  5. Implement Authentication and Encryption:

    • Ensure that RPC traffic is encrypted and authenticated, especially when accessing sensitive services such as Active Directory. Enabling Kerberos authentication and using encryption for sensitive data can significantly reduce the risk of exploitation.

RPC Communication Process:

  1. Client Initiation:

    • The client initiates a request to execute a procedure on the remote server by sending a request packet to TCP port 135.
  2. Server Response:

    • The server listens on port 135 for incoming requests. Upon receiving a request, the RPC Endpoint Mapper helps the client determine the correct port for the requested service.
  3. Three-Way Handshake:

    • After identifying the correct port, a three-way handshake occurs between the client and server to establish a secure communication channel.
  4. Procedure Execution:

    • Once the connection is established, the requested procedure (e.g., a system or service query) is executed on the remote server. The results are sent back to the client through the established communication channel.

Summary:

The Remote Procedure Call (RPC) protocol, using TCP port 135 and DCE/RPC, is fundamental to Windows networked communication and is essential for many system and application services. While it enables seamless inter-system communication, it also presents security challenges. Proper configuration, patch management, and restricted access are essential to mitigating vulnerabilities associated with RPC and ensuring the integrity of Windows network services. By understanding RPC's operation, its components, and potential security risks, students can better manage and protect Windows network environments.