HIGH: Accessible MS-RPC Services Report

DESCRIPTION LAST UPDATED: 2025-01-09

DEFAULT SECURITY LEVEL: HIGH

This report identifies hosts that have Microsoft RPC services running. This includes the MS-RPC Endpoint Mapper service running on port 135/TCP, but also other services directly accessible on ports 49664/TCP to 49670/TCP as well as 49152/TCP.

This is a security risk if left open to the Internet and may result in a compromise of the host exposing the service or information disclosure.

It is recommended to keep these ports firewalled from the public Internet.

You can view MS-RPC scan results on our Dashboard here.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename: scan_msrpc

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol (TCP)
  • port
    Port scanned (135/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    This will always be msrpc
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector of the device in question
  • version
    The [major].[minor] version of the MSRPC protocol
  • packet_type
    The human readable packet type received (usually "Bind_ack")
  • packet_type_value
    Numeric representation of the packet that was received (usually "12")
  • packet_flags
    The flags of the packet
  • data_representation
    Hex version of the packet setup
  • fragment_length
    The length of the fragment received
  • auth_length
    Length of the authentication field
  • call_id
    Call ID
  • max_transmit
    Maximum Transmit Fragment Size
  • max_receive
    Maximum Receive Fragment Size
  • association_group
    Association Group
  • raw_response
    Raw packet as it was received by the scan node (sans headers)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","version","packet_type","packet_type_value","packet_flags","data_representation","fragment_length","auth_length","call_id","max_transmit","max_receive","association_group","raw_response"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,135,node01.example.com,msrpc,64512,ZZ,Region,City,0,,Information,5.0,Bind_ack,12,0x03,10000000,60,0,1,5840,5840,0x00003e24,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:01",high,192.168.0.2,tcp,135,node02.example.com,msrpc,64512,ZZ,Region,City,0,,"NIC, Registry, and Registrars",5.0,Bind_ack,12,0x03,10000000,60,0,1,5840,5840,0x00033ba8,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:02",high,192.168.0.3,tcp,135,node03.example.com,msrpc,64512,ZZ,Region,City,0,,"NIC, Registry, and Registrars",5.0,Bind_ack,12,0x03,10000000,60,0,1,5840,5840,0x0004dd86,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=

Our 132 Report Types

« Back to Network Reporting