MSRPC (135)

If it just show this port, go digging deep into it.

# ncacn_ip_tcp
# locate rpcmap.py |grep example

rpcmap.py 'ncacn_ip_tcp:<windows ip>'
rpcmap.py 'ncacn_ip_tcp:$IP'


# lazy time --> it will show some uuids
rpcmap.py 'ncacn_ip_tcp:$IP' -brute-uuids -brute-opnums -auth-level 1 -opnum-max 5

copy the uuid to the google which opnum <number> used for.

you could search for the dll file

Traditional Way

rpcclient -U ' ' $IP
# enter the blank password


# ------- once you get login -----

enumdomusers
# --> build a user wordlist

querydispinfo