RPC (Remote Procedure Call)
Description
Remote Procedure Call allows a program on one machine to execute functions on another machine as if they were local. On Windows systems RPC is a core communication technology used by many services including Active Directory file sharing and system management components. Port 135 functions as the RPC Endpoint Mapper which tells clients where specific RPC services are listening. Once the endpoint is identified the actual communication may shift to dynamically assigned ports. RPC provides a flexible architecture but improper configuration can expose systems to serious security risks.
Technical Details
- Primarily uses TCP and UDP port 135 for the Endpoint Mapper service.
- Actual RPC communication often occurs on dynamically assigned ports above 49152.
- Used heavily by Windows services including DCOM WMI SMB and Active Directory tools.
- Allows remote execution of predefined procedures using a client server model.
- Can use authentication encryption and signing depending on configuration.
How To Work
RPC begins when a client needs to execute a function on a remote server. The client first contacts the RPC Endpoint Mapper on port 135. The purpose of this request is to discover the port number associated with the specific RPC service the client wants to use.
When the server receives the request it responds with the correct dynamic port number for the target service. This design allows many different RPC services to operate simultaneously without port conflicts. After receiving the port information the client opens a new connection directly to that service.
Once connected the client prepares a procedure call packet. This packet contains the function identifier arguments and metadata. The server unmarshals the packet interprets the request and executes the appropriate function.
After execution the server sends back a response packet that includes the return value or an error code. RPC hides the complexity of remote communication by making remote calls appear like regular local function calls to the client application.
RPC implementations may use authentication to verify the identity of the client. This is especially important in Windows environments where services such as WMI and Active Directory rely on secure communication.
In some configurations RPC can encrypt traffic to protect the confidentiality and integrity of transmitted data. Encryption strength depends on system policies service settings and Windows security configurations.
Many RPC services operate through DCOM which is an extension that allows object oriented remote communication. This expands RPC functionality to support complex distributed applications and enterprise network systems.
When the client completes all required remote calls it closes the session. The server then releases any resources allocated for that session including memory and temporary handles.
Because RPC relies on dynamic ports the firewall must allow these high ports or must use port mapping rules. Misconfigured firewalls often block RPC unintentionally causing remote tools and services to fail.
RPC is essential for system administration operations such as remote management registry editing event log retrieval and file service coordination. Its flexibility makes it powerful but also increases the attack surface when not properly secured.
Security Considerations
RPC on port 135 is a common attack vector for scanning exploitation and lateral movement. Exposed Endpoint Mapper services reveal available RPC functionality which assists attackers in identifying vulnerabilities. RPC based worms such as the Blaster worm historically relied on port 135 attacks. Weak authentication allows unauthorized remote procedure execution. Applying firewall restrictions and enforcing secure authentication can significantly reduce risks.
Potential Abuse Cases
Attackers may exploit RPC vulnerabilities to gain remote code execution. RPC enumeration can reveal running services and internal network information. Compromised RPC services may be used for privilege escalation or disabling security controls. Malware can use RPC channels for command execution or remote payload delivery.
Detection Strategies
Monitoring port 135 traffic helps detect unauthorized scanning or enumeration. Endpoint Mapper logs can reveal suspicious access attempts. Intrusion detection systems may detect malformed RPC packets or exploit signatures. Behavioral monitoring on Windows systems can reveal unusual service requests or remote execution attempts.
Mitigation Techniques
Limiting exposure of port 135 through firewalls is highly recommended. Enforcing strong authentication prevents unauthorized RPC execution. Keeping Windows systems updated reduces vulnerability to RPC exploits. Disabling unnecessary RPC dependent services minimizes attack surface. Network segmentation helps reduce propagation if an RPC based attack occurs.