Script msrpc-enum

Script types: hostrule
Categories: safe, discovery
Download: https://svn.nmap.org/nmap/scripts/msrpc-enum.nse

Script Summary

Queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information.

As it is using smb library, you can specify optional username and password to use.

Script works much like Microsoft's rpcdump tool or dcedump tool from SPIKE fuzzer.

Script Arguments

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap <target> --script=msrpc-enum

Script Output

PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
| msrpc-enum:
|
|     uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
|     annotation: DHCP Client LRPC Endpoint
|     ncalrpc: dhcpcsvc
|
|     uuid: 12345678-1234-abcd-ef00-0123456789ab
|     annotation: IPSec Policy agent endpoint
|     ncalrpc: audit
|
|     uuid: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5
|     ip_addr: 0.0.0.0
|     annotation: DHCP Client LRPC Endpoint
|     tcp_port: 49153
|
<snip>
|
|     uuid: 12345678-1234-abcd-ef00-0123456789ab
|     annotation: IPSec Policy agent endpoint
|     ncalrpc: securityevent
|
|     uuid: 12345678-1234-abcd-ef00-0123456789ab
|     annotation: IPSec Policy agent endpoint
|_    ncalrpc: protected_storage

Requires

• msrpc
• smb
• stdnse
• table

---

Author:

• Aleksandar Nikolic

License: Same as Nmap--See https://nmap.org/book/man-legal.html