Re: MSRPC IFID List?

From: dave@immunitysec.com
Date: Mon May 12 2003 - 06:41:18 EDT

• Next message: Ballowe, Charles: "RE: Pen-Testing Windows from Solaris"
• Previous message: peter.king: "Pen-Testing Windows from Solaris"
• In reply to: Chris McNab: "MSRPC IFID List?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The version of dcedump included with SPIKE 2.8 has most IFIDS described
somewhat - at least as to what program they run in. One way I like to use
to find out what they are is to fuzz them, and see what process uses CPU.

Dave Aitel
Research and Development
Immunity, Inc.
www.immunitysec.com

> Hi,
>
> Recently been playing around a fair bit with Dave Aitel and Todd Sabin's
> MSRPC tools to query the endpoint mapper at TCP/UDP 135 and glean IfId
> details from dynamic high ports (TCP 1025, UDP 1028, et al) using Sabin's
> ifids tool (http://razor.bindview.com/tools/desc/rpctools1.0-readme.html):
>
> D:\rpctools> ifids -p ncadg_ip_udp -e 1028 192.168.189.1
> Interfaces: 16
> 367abb81-9844-35f1-ad32-98f038001003 v2.0
> 93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
> 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
> 65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
> 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
> 6bffd098-a112-3610-9833-46c3f87e345a v1.0
> 8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
> c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
> 0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
> 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
> 300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
> 6bffd098-a112-3610-9833-012892020162 v0.0
> 17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
> 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
> 3ba0ffc0-93fc-11d0-a4ec-00a0c9062910 v1.0
> 8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0
>
> D:\rpctools>
>
> I have managed to work out a few of the IfId values (using fport and other
> tools), as follows:
>
> 906b0ce0-c70b-1067-b317-00dd010662da = MSDTC
> 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc = Messenger
> 1ff70682-0a51-30e8-076d-740be8cee98b = MSTask
>
> I am just wondering if there is a complete Microsoft-published or
> otherwise
> list of these IfId values? This kind of information would be useful when
> playing with MSRPC in blind pentesting cases..
>
> Regards,
>
> Chris
>
>
> Chris McNab
> Technical Director
>
> Matta Security Limited
> 18 Noel Street
> London W1F 8GN
>
> Tel: 0870 077 1100
> Web: www.trustmatta.com
>
>
> ---------------------------------------------------------------------------
> Did you know that you have VNC running on your network?
> Your hacker does.
> Plug your security holes.
> Download a free 15-day trial of VAM:
> http://www.securityfocus.com/StillSecure-pen-test
> ----------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

• Next message: Ballowe, Charles: "RE: Pen-Testing Windows from Solaris"
• Previous message: peter.king: "Pen-Testing Windows from Solaris"
• In reply to: Chris McNab: "MSRPC IFID List?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT