Open port 135: Remote Procedure Call (RPC)
What this means
RPC (Remote Procedure Call) is a request-response protocol that allow remote communication between systems and the execution of commands on a remote system.
RPC is commonly used for network-based services, particularly in Windows environments (e.g., SMB, DCOM) and Linux systems (e.g., NFS, rstatd).
If an RPC port is open and unprotected, attackers can exploit it to remotely execute commands, steal data, or move laterally within a network.
Why this is a problem
An open RPC port means that the service is accessible from the internet or an internal network without proper security controls.
If RPC is not secured or misconfigured, it can lead to:
- unauthorised access to system resources
- Remote Code Execution (RCE) via vulnerable RPC endpoints
- Denial-of-Service (DoS) attacks by overwhelming the service
- lateral movement where an attacker gains access to one system and spreads across the network
How to check if the problem is there
Check open RPC ports
Run the following command to check if RPC ports are open:
Windows (Command Prompt):
netstat -an | find ":135"
Linux/Mac (Terminal):
sudo netstat -tulnp | grep ":135"
How to fix this
To mitigate attacks against RPC, an administrator can take the following steps to block access or reduce the attack surface.
Restrict network access
To restrict network access, carry out the following:
- remove any inbound firewall or port forwarding rules allowing port 135
- configure firewall rules to allow connections only from trusted IP addresses.
- disable the services if not required
Enable authentication and encryption
To enable authentication and encryption, carry out the following:
- use Kerberos or NTLM authentication for RPC services
- enforce RPC Packet Privacy (encrypted RPC traffic)
Regularly monitor logs
Regularly monitor your event logs and consider using SIEM tools to detect anomalies.