enumeration and MS DCERPC

Based on the MSRPC DCE-RPC IFIDs from the first command output you posted, the target appears potentially vulnerable to MS00-070, CVE-2000-0544, CVE-2001-0662, CVE-2002-1561, CVE-2003-0533, CVE-2003-0818, CVE-2004-0894, CVE-2005-1984 (Nessus 19406 and 19407 as well as CANVAS ms05_043 and CORE IMPACT MSRPC SPOOLSS Buffer Overflow), CVE-2005-2119, CVE-2006-0034/1184 (Nessus 21334 and CORE IMPACT MSDTC Allocation), or CVE-2007-1748. You can get cursory information about some of the IFIDs identified by using the epdump tool or deep information about each IFID by going through the Windows network services internals documentation here:

  • 12345778-1234-abcd-ef00-0123456789ac -- References: samr, samr interface, SAM access
  • 2f5f6521-cb55-1059-b446-00df0bce31db -- References: Unimodem LRPC Endpoint
  • 906b0ce0-c70b-1067-b317-00dd010662da -- References: MS-DTC, IXnRemote operations, Distributed Transaction Coordinator
  • 367abb81-9844-35f1-ad32-98f038001003 -- References: SVCCTL RPC, Services Control Manager
  • 12345678-1234-abcd-ef00-0123456789ab -- References: winipsec and spoolss, IPSec services and Spooler service, winipsec operations, winspool operations
  • 50abc2a4-574d-40b3-9d66-ee4fd5fba076 -- References: DnsServer, DnsServer operations
  • e1af8308-5d1f-11c9-91a4-08002b14a0fa -- References: epmp, RPC endpoint mapper, Portmapper, Portmapper RPC service, epmp operations
  • 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b -- References: localepmp, localepmp operations
  • 99fcfec4-5260-101b-bbcb-00aa0021347a -- References: IObjectExporter, IOXIDResolver, IOIXResolver operations
  • afa8bd80-7d8a-11c9-bef4-08002b102989 -- This is the RMI, or remote management interface that allows all of this enumeration to occur without authentication. Generally fixed in XP SP2 but the machine you are targeting behaves more like Windows 2000 or Server 2003.

If you want a pretty GUI that enumerates all of the IFIDs and explains what they are, check out this older tool from securityfriday.com called RpcScan. The download link therein didn't work, so after a bit of sleuthing, I was able to find the tool at a disreputable location -- here -- but I was able to verify the GPG signature contained in the zip file by using '--verify' on the .sig file, using '--search-keys' for the resulting keyid, editing the key to add trust, and finally verifying the signature with the associated executable. You may want to run it in a blow-away guest VM just in case.

Additionally, that first IFID shows that the SAMR is running on 192.168.41.221 via TCP port 49179 because of dynamic allocation. This can be queried using a tool such as walksam from the rpctools utilities bundle.

Read more about rpctools here -- https://web.archive.org/web/20070510223113/http://www.bindview.com/Services/RAZOR/Utilities/Windows/rpctools1.0-readme.cfm

And download the zip file here -- https://web.archive.org/web/20070510223113/http://www.bindview.com/Resources/RAZOR/Files/rpctools-1.0.zip

Query the server using the following technique:

C:\> walksam -p ncacn_ip_tcp -e 49179 192.168.41.221

Also run walksam (against all SMB hosts) without the flags to get more general user information as it walks through the SAM database. TrustedSec also released a tool to perform RID cycling, which is one of the techniques performed by walksam. You can check out rid_enum.py in more depth on its GitHub page.

There are plenty of tools that relate to pivot points from the information you gathered via those metasploit-framework auxiliary modules. Some can be found here -- http://winhackingexposed.com/tools.html -- and are discussed in that book's sections on RPC and SMB Enumeration in Chapter 4. I'd also recommend Chris McNab's work as I gathered much of the information for this answer from his wise books.

The best modern equivalent for this MSRPC toolchain is the CoreSec impacket tools. There is an rpcdump.py, but you may get better use out of their ifmap.py and opmap.py tools. These will lead you towards the other tools, such as samrdump.py, lookupsid.py, and potentially even services.py or secretsdump.py. These are all speaking purely from an MSRPC DCE-RPC perspective, there may be many other pathways into this Windows machine or surrounding environment.