logo

Port 135 – Microsoft RPC Endpoint Mapper

Service:

RPC Endpoint Mapper ,
rpcss

Protocol:

TCP

Port:

135

Used for:

Mapping DCOM/RPC services to dynamic ports

Why It’s Open

Port 135 is used by Windows for Remote Procedure Calls (RPC). It helps map other services (like DCOM, WMI, and NetLogon) to dynamic ports.

Common Risks

  • WannaCry & EternalBlue Precursor: RPC plays a role in various Microsoft exploits.
  • DCOM Lateral Movement: Used in remote WMI and DCOM attacks.
  • RPC Enumeration: Attackers can discover running services and interfaces.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Nmap enumeration

Terminal window
nmap -p 135 --script msrpc-enum

**Use **rpcdump

Terminal window
rpcdump.py

Or with Metasploit

Terminal window
use auxiliary/scanner/dcerpc/endpoint_mapper

Known Exploits

  1. CVE-2017-0143 A remote code execution vulnerability exists in the way that the Windows Server Message Block 1.0 (SMBv1) server handles certain requests. This vulnerability is part of the EternalBlue exploit.

🔗 NVD Entry

🔗 Microsoft Advisory

  1. CVE-2003-0352 Buffer overflow in the RPCSS service in Microsoft Windows allows remote attackers to execute arbitrary code via a malformed message - Blaster Worm

🔗 NVD Entry

🔗 Microsoft Advisory

  1. CVE-2021-26855 Exchange ProxyLogon: Port 135 used in lateral movement & RPC enumeration

Tools & Tactics

  • Use rpcclient from Samba suite (especially with creds)
  • Monitor for WMI, DCOM, and PowerShell remoting behavior over 135
  • For Windows: Get-WmiObject -Class Win32_Service -ComputerName <target>

What to Look For

CheckpointWhat it means
Open on workstationsCan be used for lateral movement
Dynamic port mappingMight indicate multiple exposed services

Mitigation

  • Limit RPC usage to trusted networks.
  • Use host-based firewalls to control exposure.
  • Harden WMI, DCOM, and disable remote access when not needed.

Real-World Example

Many malware families use 135 as part of their internal network spread, often preceding payloads delivered through SMB (445).

TL;DR

  • Service: MS RPC Endpoint Mapper
  • Default Port: 135/TCP
  • Risks: Remote code execution, DCOM lateral movement, endpoint enumeration
  • Mitigation: Limit exposure, restrict firewall rules, disable DCOM if unused, keep patched