This is a list of all possible RPC calls to coerce authentications over various protocols.
This list will be triaged over time, eventhough I automated most of the work and autogenerated python proof of concept for each call, it takes time to triage these 240+ RPC calls.
-
[MC-IISA]: Internet Information Services (IIS) Application Host COM Protocol
- Remote call to GetAdminSection (opnum 3)
- Remote call to OnSectionChanges (opnum 3)
- Remote call to GetAdminSection (opnum 6)
- Remote call to AddLocation (opnum 5)
- Remote call to GetConfigFile (opnum 3)
- Remote call to GetUniqueConfigPath (opnum 4)
- Remote call to MapPath (opnum 6)
- Remote call to MapPath (opnum 3)
-
[MC-MQAC]: Message Queuing (MSMQ): ActiveX Client Protocol
-
[MS-BRWSA]: Common Internet File System (CIFS) Browser Auxiliary Protocol
-
[MS-CMRP]: Failover Cluster: Management API (ClusAPI) Protocol
-
[MS-COMA]: Component Object Model Plus (COM+) Remote Administration Protocol
-
[MS-CSVP]: Failover Cluster: Setup and Validation Protocol (ClusPrep)
-
[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol
- Remote call to NetrDfsManagerInitialize (opnum 14)
- Remote call to NetrDfsAdd (opnum 1)
- Remote call to NetrDfsRemove (opnum 2)
- Remote call to NetrDfsSetInfo (opnum 3)
- Remote call to NetrDfsGetInfo (opnum 4)
- Remote call to NetrDfsMove (opnum 6)
- Remote call to NetrDfsAddRootTarget (opnum 23)
- Remote call to NetrDfsRemoveRootTarget (opnum 24)
- Remote call to NetrDfsAdd2 (opnum 19)
- Remote call to NetrDfsRemove2 (opnum 20)
- Remote call to NetrDfsEnumEx (opnum 21)
- Remote call to NetrDfsSetInfo2 (opnum 22)
- Remote call to NetrDfsAddFtRoot (opnum 10)
- Remote call to NetrDfsRemoveFtRoot (opnum 11)
- Remote call to NetrDfsAddStdRoot (opnum 12)
- Remote call to NetrDfsRemoveStdRoot (opnum 13)
- Remote call to NetrDfsAddStdRootForced (opnum 15)
- Remote call to NetrDfsGetDcAddress (opnum 16)
- Remote call to NetrDfsSetDcAddress (opnum 17)
-
[MS-DFSRH]: DFS Replication Helper Protocol
-
[MS-DHCPM]: Microsoft Dynamic Host Configuration Protocol (DHCP) Server Management Protocol
-
[MS-DMRP]: Disk Management Remote Protocol
- Remote call to IVolumeClient::CreatePartitionAssignAndFormatEx (opnum 7)
- Remote call to IVolumeClient::CreateVolumeAssignAndFormatEx (opnum 32)
- Remote call to IVolumeClient::AddAccessPath (opnum 80)
- Remote call to IVolumeClient::DeleteAccessPath (opnum 81)
- Remote call to IVolumeClient3::CreatePartitionAssignAndFormatEx (opnum 7)
- Remote call to IVolumeClient3::CreateVolumeAssignAndFormatEx (opnum 31)
- Remote call to IVolumeClient3::AddAccessPath (opnum 77)
- Remote call to IVolumeClient3::DeleteAccessPath (opnum 78)
-
[MS-DNSP]: Domain Name Service (DNS) Server Management Protocol
- Remote call to R_DnssrvOperation (opnum 0)
- Remote call to R_DnssrvQuery (opnum 1)
- Remote call to R_DnssrvComplexOperation (opnum 2)
- Remote call to R_DnssrvEnumRecords (opnum 3)
- Remote call to R_DnssrvUpdateRecord (opnum 4)
- Remote call to R_DnssrvOperation2 (opnum 5)
- Remote call to R_DnssrvQuery2 (opnum 6)
- Remote call to R_DnssrvComplexOperation2 (opnum 7)
- Remote call to R_DnssrvEnumRecords2 (opnum 8)
- Remote call to R_DnssrvUpdateRecord2 (opnum 9)
- Remote call to R_DnssrvUpdateRecord3 (opnum 10)
- Remote call to R_DnssrvEnumRecords3 (opnum 11)
- Remote call to R_DnssrvOperation3 (opnum 12)
- Remote call to R_DnssrvQuery3 (opnum 13)
- Remote call to R_DnssrvComplexOperation3 (opnum 14)
- Remote call to R_DnssrvOperation4 (opnum 15)
- Remote call to R_DnssrvQuery4 (opnum 16)
- Remote call to R_DnssrvUpdateRecord4 (opnum 17)
- Remote call to R_DnssrvEnumRecords4 (opnum 18)
-
[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol
- Remote call to EfsRpcOpenFileRaw (opnum 0)
- Remote call to EfsRpcEncryptFileSrv (opnum 4)
- Remote call to EfsRpcDecryptFileSrv (opnum 5)
- Remote call to EfsRpcQueryUsersOnFile (opnum 6)
- Remote call to EfsRpcQueryRecoveryAgents (opnum 7)
- Remote call to EfsRpcRemoveUsersFromFile (opnum 8)
- Remote call to EfsRpcAddUsersToFile (opnum 9)
- Remote call to EfsRpcNotSupported (opnum 11)
- Remote call to EfsRpcFileKeyInfo (opnum 12)
- Remote call to EfsRpcDuplicateEncryptionInfoFile (opnum 13)
- Remote call to EfsRpcAddUsersToFileEx (opnum 15)
- Remote call to EfsRpcFileKeyInfoEx (opnum 16)
- Remote call to EfsRpcGetEncryptedFileMetadata (opnum 18)
- Remote call to EfsRpcSetEncryptedFileMetadata (opnum 19)
- Remote call to EfsRpcFlushEfsCache (opnum 20)
- Remote call to EfsRpcEncryptFileExSrv (opnum 21)
- Remote call to EfsRpcQueryProtectors (opnum 22)
-
[MS-EVEN]: EventLog Remoting Protocol
- Remote call to ElfrOpenBELW (opnum 9)
- Remote call to ElfrOpenBELA (opnum 16)
- Remote call to ElfrOpenELW (opnum 7)
- Remote call to ElfrOpenELA (opnum 14)
- Remote call to ElfrRegisterEventSourceW (opnum 8)
- Remote call to ElfrRegisterEventSourceA (opnum 15)
- Remote call to ElfrClearELFW (opnum 0)
- Remote call to ElfrClearELFA (opnum 12)
- Remote call to ElfrBackupELFW (opnum 1)
- Remote call to ElfrBackupELFA (opnum 13)
-
[MS-FAX]: Fax Server and Client Remote Protocol
-
[MS-FSRVP]: File Server Remote VSS Protocol
-
[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW Remote Protocol
- Remote call to OpenKey (opnum 17)
- Remote call to AddKey (opnum 3)
- Remote call to CopyKey (opnum 7)
- Remote call to DeleteKey (opnum 4)
- Remote call to DeleteChildKeys (opnum 5)
- Remote call to DeleteData (opnum 11)
- Remote call to DeleteAllData (opnum 14)
- Remote call to CopyData (opnum 15)
- Remote call to EnumKeys (opnum 6)
- Remote call to R_EnumData (opnum 12)
- Remote call to GetDataPaths (opnum 16)
- Remote call to GetDataSetNumber (opnum 23)
- Remote call to GetLastChangeTime (opnum 25)
- Remote call to R_GetAllData (opnum 13)
- Remote call to R_GetData (opnum 10)
- Remote call to R_SetData (opnum 9)
- Remote call to RenameKey (opnum 8)
- Remote call to SetLastChangeTime (opnum 24)
- Remote call to Export (opnum 36)
- Remote call to Import (opnum 37)
- Remote call to GetChildPaths (opnum 40)
- Remote call to AppCreate (opnum 3)
- Remote call to AppDelete (opnum 4)
- Remote call to AppUnLoad (opnum 5)
- Remote call to AppGetStatus (opnum 6)
- Remote call to AppDeleteRecoverable (opnum 7)
- Remote call to AppRecover (opnum 8)
- Remote call to AppCreate2 (opnum 9)
- Remote call to CreateApplication (opnum 3)
- Remote call to DeleteApplication (opnum 4)
-
[MS-MQMP]: Message Queuing (MSMQ): Queue Manager Client Protocol
-
[MS-MQRR]: Message Queuing (MSMQ): Queue Manager Remote Read Protocol
-
[MS-NRPC]: Netlogon Remote Protocol
- Remote call to NetrGetDCName (opnum 11)
- Remote call to NetrGetAnyDCName (opnum 13)
- Remote call to DsrGetDcSiteCoverageW (opnum 38)
- Remote call to DsrDeregisterDnsHostRecords (opnum 41)
- Remote call to DsrUpdateReadOnlyServerDnsRecords (opnum 48)
- Remote call to NetrLogonGetDomainInfo (opnum 29)
- Remote call to NetrLogonGetCapabilities (opnum 21)
- Remote call to NetrChainSetClientAttributes (opnum 49)
- Remote call to DsrEnumerateDomainTrusts (opnum 40)
- Remote call to NetrEnumerateTrustedDomainsEx (opnum 36)
- Remote call to NetrEnumerateTrustedDomains (opnum 19)
- Remote call to NetrGetForestTrustInformation (opnum 44)
- Remote call to DsrGetForestTrustInformation (opnum 43)
- Remote call to NetrLogonGetTrustRid (opnum 23)
- Remote call to NetrLogonComputeServerDigest (opnum 24)
- Remote call to NetrLogonComputeClientDigest (opnum 25)
- Remote call to NetrLogonSetServiceBits (opnum 22)
- Remote call to NetrLogonGetTimeServiceParentDomain (opnum 35)
- Remote call to NetrLogonControl2Ex (opnum 18)
- Remote call to NetrLogonControl2 (opnum 14)
- Remote call to NetrLogonControl (opnum 12)
- Remote call to NetrLogonUasLogon (opnum 0)
- Remote call to NetrLogonUasLogoff (opnum 1)
-
[MS-PAR]: Print System Asynchronous Remote Protocol
-
[MS-PLA]: Performance Logs and Alerts Protocol
-
[MS-RAIW]: Remote Administrative Interface: WINS
-
[MS-RPRN]: Print System Remote Protocol
-
[MS-RRASM]: Routing and Remote Access Server (RRAS) Management Protocol
-
[MS-RRP]: Windows Remote Registry Protocol
- Remote call to OpenClassesRoot (opnum 0)
- Remote call to OpenCurrentUser (opnum 1)
- Remote call to OpenLocalMachine (opnum 2)
- Remote call to OpenPerformanceData (opnum 3)
- Remote call to OpenUsers (opnum 4)
- Remote call to OpenCurrentConfig (opnum 27)
- Remote call to OpenPerformanceText (opnum 32)
- Remote call to OpenPerformanceNlsText (opnum 33)
-
[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server)
-
[MS-SRVS]: Server Service Remote Protocol
- Remote call to NetrConnectionEnum (opnum 8)
- Remote call to NetrFileEnum (opnum 9)
- Remote call to NetrFileGetInfo (opnum 10)
- Remote call to NetrFileClose (opnum 11)
- Remote call to NetrSessionEnum (opnum 12)
- Remote call to NetrSessionDel (opnum 13)
- Remote call to NetrShareAdd (opnum 14)
- Remote call to NetrShareEnum (opnum 15)
- Remote call to NetrShareEnumSticky (opnum 36)
- Remote call to NetrShareGetInfo (opnum 16)
- Remote call to NetrShareSetInfo (opnum 17)
- Remote call to NetrShareDel (opnum 18)
- Remote call to NetrShareDelSticky (opnum 19)
- Remote call to NetrShareDelStart (opnum 37)
- Remote call to NetrShareCheck (opnum 20)
- Remote call to NetrServerGetInfo (opnum 21)
- Remote call to NetrServerSetInfo (opnum 22)
- Remote call to NetrServerDiskEnum (opnum 23)
- Remote call to NetrServerStatisticsGet (opnum 24)
- Remote call to NetrRemoteTOD (opnum 28)
- Remote call to NetrServerTransportAdd (opnum 25)
- Remote call to NetrServerTransportAddEx (opnum 41)
- Remote call to NetrServerTransportEnum (opnum 26)
- Remote call to NetrServerTransportDel (opnum 27)
- Remote call to NetrServerTransportDelEx (opnum 53)
- Remote call to NetrpGetFileSecurity (opnum 39)
- Remote call to NetrpSetFileSecurity (opnum 40)
- Remote call to NetprPathType (opnum 30)
- Remote call to NetprPathCanonicalize (opnum 31)
- Remote call to NetprPathCompare (opnum 32)
- Remote call to NetprNameValidate (opnum 33)
- Remote call to NetprNameCanonicalize (opnum 34)
- Remote call to NetprNameCompare (opnum 35)
- Remote call to NetrDfsGetVersion (opnum 43)
- Remote call to NetrDfsCreateLocalPartition (opnum 44)
- Remote call to NetrDfsDeleteLocalPartition (opnum 45)
- Remote call to NetrDfsSetLocalVolumeState (opnum 46)
- Remote call to NetrDfsCreateExitPoint (opnum 48)
- Remote call to NetrDfsModifyPrefix (opnum 50)
- Remote call to NetrDfsDeleteExitPoint (opnum 49)
- Remote call to NetrDfsFixLocalVolume (opnum 51)
- Remote call to NetrDfsManagerReportSiteInfo (opnum 52)
- Remote call to NetrServerAliasEnum (opnum 55)
- Remote call to NetrServerAliasDel (opnum 56)
- Remote call to NetrShareDelEx (opnum 57)
-
[MS-SWN]: Service Witness Protocol
-
[MS-TSCH]: Task Scheduler Service Remoting Protocol
-
[MS-UAMG]: Update Agent Management Protocol
-
[MS-VDS]: Virtual Disk Service (VDS) Protocol
-
[MS-WMI]: Windows Management Instrumentation Remote Protocol
-
[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol