MSRPC IFID List?

From: Chris McNab (chris.mcnab@trustmatta.com)
Date: Sat May 10 2003 - 13:23:31 EDT

• Next message: Maher Odeh: "RE: Directory listing"
• Previous message: Amal Al Hajeri: "Mail Server testing"
• Next in thread: dave@immunitysec.com: "Re: MSRPC IFID List?"
• Reply: dave@immunitysec.com: "Re: MSRPC IFID List?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Recently been playing around a fair bit with Dave Aitel and Todd Sabin's
MSRPC tools to query the endpoint mapper at TCP/UDP 135 and glean IfId
details from dynamic high ports (TCP 1025, UDP 1028, et al) using Sabin's
ifids tool (http://razor.bindview.com/tools/desc/rpctools1.0-readme.html):

D:\rpctools> ifids -p ncadg_ip_udp -e 1028 192.168.189.1
Interfaces: 16
  367abb81-9844-35f1-ad32-98f038001003 v2.0
  93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
  82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
  65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
  8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
  6bffd098-a112-3610-9833-46c3f87e345a v1.0
  8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
  c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
  0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
  4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
  300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
  6bffd098-a112-3610-9833-012892020162 v0.0
  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  3ba0ffc0-93fc-11d0-a4ec-00a0c9062910 v1.0
  8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0

D:\rpctools>

I have managed to work out a few of the IfId values (using fport and other
tools), as follows:

906b0ce0-c70b-1067-b317-00dd010662da = MSDTC
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc = Messenger
1ff70682-0a51-30e8-076d-740be8cee98b = MSTask

I am just wondering if there is a complete Microsoft-published or otherwise
list of these IfId values? This kind of information would be useful when
playing with MSRPC in blind pentesting cases..

Regards,

Chris

Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Web: www.trustmatta.com

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

• Next message: Maher Odeh: "RE: Directory listing"
• Previous message: Amal Al Hajeri: "Mail Server testing"
• Next in thread: dave@immunitysec.com: "Re: MSRPC IFID List?"
• Reply: dave@immunitysec.com: "Re: MSRPC IFID List?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT