RPC Enumeration

RPC View

Can use RPC View to enumerate running RPC Servers https://github.com/silverf0x/RpcView

Impacket

RPCDump.py locates all mapped RPC endpoints on the target host:

$ python3 rpcdump.py 192.168.1.112                                                                                                                                                                                                   130 ⨯
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Retrieving endpoint list from 192.168.1.112
Protocol: N/A 
Provider: N/A 
UUID    : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service
Bindings: 
          ncacn_ip_tcp:192.168.1.112[49664]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[LSA_IDPEXT_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\WINDEV2106EVAL[\pipe\lsass]

RPCMap.py can bruteforce additional UUIDs for endpoints:

$ python3 rpcmap.py ncacn_ip_tcp:192.168.1.112[49669] -auth-rpc admin:admin
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Target MGMT interface not available
[*] Bruteforcing UUIDs. The result may not be complete.
Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol
Provider: spoolsv.exe
UUID: 0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1 v1.0