-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RPORT to the list of DCERPC ports to check #2507
Conversation
Also tested with the auxiliary/scanner/dcerpc/hidden module, which doesn't take an RPORTS option, and it works as expected there as well. |
I think maybe deregister RPORT would be more correct? |
You could, but that means you couldn't query alternate ports at all. |
Its extremely unlikely that endpoint mapper runs on anything other than 135? The 593 port is specifically used to hold the Web service endpoint mapper - but tbh I've never seen that? Not sure if this module would actually work with 593 if its expecting HTTP... "593 provides "endpoint mapper" services for RPC-over-HTTP (when IIS acts as a proxy for RPC). See port 135 for more info. Sometimes enabled automatically by Exchange." |
I guess having the RPORT option allows for NAT/tunnelling scenarios. The problem with this solution is if you set the RPORT to 7867 for your local meterpreter portfwd or ssh tunnel, you could scan yourself on 135 without knowing about it! I'm not a big fan of 593 being hidden from the user either... |
So @Meatballs1 are you saying this is a pointless exercise? It seemed to me that port 5040 acted as a fine endpoint mapper for at least to WDS servers; I can double check that to make sure I wasn't really pulling in data from port 135. If it's dumb to ask other ports for endpoint mapping services, then I'm with you, the module should just deregister RPORT so users (like me) aren't confused about availability. |
I imagine you set the RPORT, but the results you got back were actually from port 135 anyway. I think it is useful for port forwarding situations however it should just be |
Got it . Will fix. Thanks!
|
Incidentally, the endmap scanner doesn't appear to work at all for http-rpc-epmap, so no harm done anyway (tested against Windows 2008 server). It looks like a bigger change than it realy is, thanks to the indentaton changes by removing the itertor. Diff this without whitespace changes to get a better idea of what's actually different.
Done. To see the changes not counting whitespace (due to the unindenting of the now removed iterator block) see this change without whitespace changes: https://github.com/rapid7/metasploit-framework/pull/2507/files?w=1 |
Validation steps
Without patch:
With patch: