Port 135 (TCP) – MSRPC Endpoint Mapper

What runs on port 135?

Port 135 is the Microsoft RPC (MSRPC) endpoint mapper, also called the DCE/RPC locator. When a client wants to talk to a Windows RPC service — DCOM, WMI, the task scheduler, the print spooler, or directory replication — it first asks the endpoint mapper on 135 which dynamic high port that service is currently using, then connects there. It is a foundational piece of Windows networking and is present on essentially every domain-joined host.

Why it matters for security

Because the endpoint mapper advertises the RPC services a host exposes, port 135 is a rich enumeration target that reveals attack surface. More importantly, several RPC interfaces can be abused to coerce authentication: an attacker triggers the victim into making an authenticated connection back to an attacker host, where the credentials are relayed to LDAP or AD CS to escalate privileges — the basis of PetitPotam-style attacks.

How it's attacked

Tools enumerate the endpoint mapper to map RPC services and locate vulnerable interfaces. PetitPotam abuses MS-EFSRPC and the PrinterBug abuses the print spooler to force a domain controller to authenticate to an attacker, who relays that NTLM authentication to a privileged service. DCOM interfaces provide additional coercion and lateral-movement vectors.

Hardening checklist

Firewall port 135 and the dynamic RPC range from untrusted and client networks. Patch coercion bugs (PetitPotam, PrinterBug) and disable the print spooler on domain controllers. Break relay chains by enforcing SMB signing, LDAP channel binding, and Extended Protection for Authentication. Constrain the dynamic RPC port range so it can be tightly firewalled. Use the nmap script above to enumerate RPC services on hosts you are authorized to test.