135,139 RPC

---

Notes

---

Alternative Ports
135 TCP (MS RPC Endpoint Mapper)
139 TCP (NetBIOS Session Service)
445 TCP (SMB over TCP – related)

Service Description
Port 135 is used by Microsoft RPC Endpoint Mapper to coordinate DCOM services and other RPC-based processes. Port 139 supports NetBIOS sessions over TCP, often used in older SMB and RPC implementations. These ports are heavily used in Windows environments for remote management, enumeration, and domain interaction.

Null sessions via RPC or SMB may expose sensitive system and domain-level information, especially in legacy environments.

---

Tools & Exploits

---

rpcclient (NULL Session)

rpcclient -U "" -N 10.10.10.10

Common rpcclient Commands

# General info
enumdomusers
enumdomgroups
srvinfo
lsaquery
 
# Share and permission info
netshareenum
netshareenumall
 
# User info
queryuser 500
querydispinfo
 
# Domain/Privilege info
enumdomains
enumprivs

RID Cycling
Bruteforcing or guessing RIDs and SIDs, based on the fact that RIDs are sequential (starting at 500 for local admin):

enum4linux -a -u [user] -p 'Password@123' -w [domain] -r [IP] | tee enum4linux_results.txt

nmap

nmap -p135,139 --script=msrpc-enum,nfs-acls,smb-enum-shares,smb-enum-users <target>

Metasploit

use auxiliary/scanner/dcerpc/endpoint_mapper
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumshares

CrackMapExec (for fast enum + testing)

cme smb <target> -u '' -p '' --shares --sessions --users

rpcdump.py (Impacket)

rpcdump.py @<target>

---

References

---

• https://book.hacktricks.wiki/network-services-pentesting/rdp-rpc-pentesting
• https://github.com/SecureAuthCorp/impacket
• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/
• https://nmap.org/nsedoc/scripts/msrpc-enum.html