_ _ _ _ ((___)) ((___)) [ x x ] _ [ x x ] \ / _ |_|_ _ _|_ _|_ |_ _ _| _ _. _| _ _ \ / (' ') (_|_|| |_ (_) | |_ | |(/_ (_|(/_(_|(_| (_(_)\_/\_/ (' ') (U) (U) .ooM cDc communications .ooM Remote Procedure Call by Sir Dystic A commonly overlooked area of security is Remote Procedure Call, possibly because most people don't understand anything about it. RPCDUMP is a program which provides console access to the RPC APIs in Windows. To use it, some base understanding of the different pieces necessary to create an RPC connection is required. Microsoft provides plenty of information about RPC. c:\>rpcdump -? rpcdump v0.92 - Questions, comments, bitches, and bugs to sd@cultdeadcow.com rpcdump [options] commands commands: STAT - Get stats AUTH - Authenticate IAUTH - Inquire auth info STOP - Stop server listening NAME - Get principle name VECS - Get vectors ENUM - Enumerate endpoints options: [-p protocol] [-u UUID] [-n netadr] [-e endpoint] [-o options] [-s user] [-a password] [-d domain] [-i server principal name] [-v auth service] [-l auth level] (used with AUTH) Valid protocols and their endpoints are: ncacn_nb_tcp* - Connection-oriented NetBIOS over TCP - 0-255 ncacn_nb_ipx* - Connection-oriented NetBIOS over IPX - 0-255 ncacn_nb_nb - Connection-oriented NetBIOS over NetBEUI - 0-255 ncacn_ip_tcp - Connection-oriented TCP/IP (default) - Port# ncacn_np@ - Connection-oriented named pipes - \\pipe\pipename ncacn_spx - Connection-oriented SPX - 1-65535 ncacn_vns_spp* - Vines SPP transport - Port# 250-511 ncadg_ip_udp*@ - Datagram (connectionless) UDP/IP - Port# ncadg_ipx*@ - Datagram (connectionless) IPX - 1-65535 ncalrpc@ - Local procedure call - App/Service name (* May only be available under NT) (@ The 'Security' option is available, but only under NT) The netadr for different protocols is specified as: For _nb_ protocols - Windows machine name - myserver For _ip_ protocols - IP address or host name - 12.34.56.78 hostname For _np protocol - NT server name (\\ optional) - myhost \\somehost For _spx/_ipx prot - IPX inet adr or NT server name - ~0000000108002B30612C For _vns_ protocol - StreetTalk name item@group@org - print@docs@cdc For ncalrpc - Machine name - mymachine The Security option is specified in the form: Security=id type bool Values for id: Anonymous - The client is anonymous to the server Identification - The server has information about client but cannot impersonate Impersonation - The server is the client on the client�s behalf Values for type: Dynamic - A pointer to the security token is maintained. Static - Security settings associated with the endpoint represent a copy of the security information at the time the endpoint was created. The settings do not change. Values for bool: True - Effective = TRUE; only Windows NT security settings set to ON are included in the token. False - Effective = FALSE; all Windows NT security settings, including those set to OFF, are included in the token. The minimum info necessary to perform something like ENUM (enumerate remote endpoints) is a network address, the format of which depends on the protocol you are using. The default protocol is ncacn_ip_tcp, a tcp connection to a port (default 135), the address of which would be the machine name or ip address. Your rpc system may support even more protocols than are listed in the help. The information produced by rpcdump may or may not actually be useful. One thing missing is the ability to actually connect to the endpoints and exchange data. Doing this usually requires knowing all the information about the endpoint at compile time, and I'm looking at ways to do this dynamically. However, just with the functionality included, many servers (especially web servers on the internet) dump a ton of information, often including all the virtual IPs that server is handling. -------------------------------------------------- Get source here. -------------------------------------------------- Here is some more information about the specific pieces that make up an rpc connection. Much of this text is copyrighted by Microsoft: Protocol Sequence Specifies a character string that represents a valid combination of an RPC protocol (such as "ncacn"), a transport protocol (such as "tcp"), and a network protocol (such as "ip"). Microsoft RPC supports the following protocol sequences: Protocol sequence Description Supporting Platforms ncacn_nb_tcp Connection-oriented NetBIOS over TCP client only: MS-DOS, Windows 3.x client and server: Windows NT ncacn_nb_ipx Connection-oriented NetBIOS over IPX client only: MS-DOS, Windows 3.x client and server: Windows NT ncacn_nb_nb Connection-oriented NetBEUI client only: MS-DOS, Windows 3.x client and server: Windows NT, Windows 95 ncacn_ip_tcp Connection-oriented TCP/IP client only: MS-DOS,Windows 3.x, and Apple Macintosh client and server: Windows 95 and Windows NT ncacn_np Connection-oriented named pipes client only: MS-DOS, Windows 3.x, Windows 95 client and server: Windows NT ncacn_spx Connection-oriented SPX client only: MS-DOS, Windows 3.x client and server: Windows NT, Windows 95 ncacn_dnet_nsp Connection-oriented DECnet transport client only: MS-DOS, Windows 3.x ncacn_at_dsp AppleTalk DSP client: Apple Macintosh server: Windows NT ncacn_vns_spp Connection-oriented Vines SPP transport client only: MS-DOS, Windows 3.x client and server: Windows NT ncadg_ip_udp Datagram (connectionless) UDP/IP client only: MS-DOS, Windows 3.x client and server: Windows NT ncadg_ipx Datagram (connectionless) IPX client only: MS-DOS, Windows 3.x client and server: Windows NT ncalrpc Local procedure call client and server: Windows NT and Windows 95 NetworkAddress Specifies the network address of the system to receive remote procedure calls. The format and content of the network address depend on the specified protocol sequence as follows: Protocol sequence Network address Examples ncacn_nb_tcp Windows NT machine name myserver ncacn_nb_ipx Windows NT machine name myserver ncacn_nb_nb Windows NT or Windows 95 machine name myserver ncacn_ip_tcp four-octet internet address, or host name 128.10.2.30 anynode.microsoft.com ncacn_np Windows NT server name \\myotherserver (leading double backslashes are optional) myserver ncacn_spx IPX internet address, or Windows NT server name ~0000000108002B30612C myserver ncacn_dnet_nsp Area and node syntax 4.120 ncacn_at_dsp Windows NT machine name, optionally followed by servername@zonename @ and the AppleTalk zone name. Defaults to @*, servername the client’s zone, if no zone provided ncacn_vns_spp StreetTalk server name of the form printserver@sdkdocs@microsoft item@group@organization ncadg_ip_udp four-octet internet address, or host name 128.10.2.30 anynode.microsoft.com ncadg_ipx IPX internet address, or Windows NT server name ~0000000108002B30612C myserver ncalrpc Machine name thismachine The network-address field is optional. When you do not specify a network address, the string binding refers to your local host. It is possible to specify the name of the local machine when you use the ncalrpc protocol sequence, however doing so is completely unnecessary. Endpoint Specifies the endpoint, or address, of the process to receive remote procedure calls. An endpoint can be preceded by the keyword endpoint=. Specifying the endpoint is optional if the server has registered its bindings with the endpoint mapper. See RpcEpRegister. The format and content of an endpoint depend on the specified protocol sequence as shown in the Endpoint/Option Table, below. Option Specifies protocol-specific options.. The option field is not required. Each option is specified by a {name, value} pair that uses the syntax option name=option value. Options are defined for each protocol sequence as shown in the Endpoint/Option Table, below. Protocol sequence Endpoint Examples Option name ncacn_nb_tcp Integer between 0 and 255. 100 None Many values between 0 and 32 are reserved by Microsoft. ncacn_nb_ipx (as above) (as above) None ncacn_nb_nb (as above) (as above) None ncacn_ip_tcp Internet port number 1025 None ncacn_np Windows NT named pipe. \\pipe\\pipename Security Name must start with "\\pipe". (NT only) ncacn_spx Integer between 1 and 65535. 5000 None ncacn_dnet_nsp DECnet phase IV object number mailserver None (must be preceded by the # #17 character), or object name ncacn_at_dsp A character string, myservicesendpoint None up to 22 bytes long ncacn_vns_spp Vines SPP port number 500 None between 250 and 511 ncadg_ip_udp Internet port number 1025 Security (32-bit only) ncadg_ipx Integer between 1 and 65535. 5000 Security (32-bit only) ncalrpc String specifying application my_printer Security or service name. The string (NT only) cannot include any backslash characters. The Security option name, supported for the ncalrpc, ncacn_np, ncadg_ip_udp, and ncadg_ipx protocol sequences, takes the following option values: Option name Option value Security {identification | anonymous | impersonation} {dynamic | static} {true | false} If the Security option name is specified, one entry from each of the sets of Security option values must also be supplied. The option values must be separated by a single-space character. For example, the following Option fields are valid: Security=identification dynamic true Security=impersonation static true The Security option values have the following meanings: Security option value Description Anonymous The client is anonymous to the server. Dynamic A pointer to the security token is maintained. Security settings represent current settings and include changes made after the endpoint was created. False Effective = FALSE; all Windows NT security settings, including those set to OFF, are included in the token. Identification The server has information about client but cannot impersonate. Impersonation The server is the client on the client's behalf. Static Security settings associated with the endpoint represent a copy of the security information at the time the endpoint was created. The settings do not change. True Effective = TRUE; only Windows NT security settings set to ON are included in the token. For more information about Microsoft Windows NT security options, see your Microsoft Windows NT programming documentation. Remarks The string binding is an unsigned character string composed of strings that represent the binding object UUID, the RPC protocol sequence, the network address, and the endpoint and endpoint options. White space is not allowed in string bindings except where required by the Option syntax. Default settings for the NetworkAddress, Endpoint, and Option fields vary according to the value of the ProtocolSequence field. For all string-binding fields, a single backslash character (\) is interpreted as an escape character. To specify a single literal backslash character, you must supply two backslash characters (\\). The following are examples of valid string bindings. In these examples, obj-uuid is used for convenience to represent a valid UUID in string form. Instead of showing the UUID 308FB580-1EB2-11CA-923B-08002B1075A7, the examples show obj-uuid. obj-uuid@ncacn_ip_tcp:16.20.16.27[2001] obj-uuid@ncacn_ip_tcp:16.20.16.27[endpoint=2001] obj-uuid@ncacn_nb_nb: obj-uuid@ncacn_nb_nb:[100] obj-uuid@ncacn_np: obj-uuid@ncacn_np:[\\pipe\\p3,Security=impersonation static true] obj-uuid@ncacn_np:\\\\marketing[\\pipe\\p2\\p3\\p4] obj-uuid@ncacn_np:\\\\marketing[endpoint=\\pipe\\p2\\p3\\p4] obj-uuid@ncacn_np:\\\\sales obj-uuid@ncacn_np:\\\\sales[\\pipe\\p1,Security=identification dynamic true] obj-uuid@ncalrpc: obj-uuid@ncalrpc:[object1_name_demonstrating_that_these_can_be_lengthy] obj-uuid@ncalrpc:[object2_name,Security=anonymous static true] obj-uuid@ncacn_vns_spp:server@group@org[500] obj-uuid@ncacn_dnet_nsp:took[elf_server] obj-uuid@ncacn_dnet_nsp:took[endpoint=elf_server] obj-uuid@ncadg_ip_udp:128.10.2.30 obj-uuid@ncadg_ip_udp:maryos.microsoft.com[1025] obj-uuid@ncadg_ipx: ~0000000108002B30612C[5000] obj-uuid@ncadg_ipx:printserver obj-uuid@ncacn_spx:annaw[4390] obj-uuid@ncacn_spx:~0000000108002B30612C A string binding contains the character representation of a binding handle and sometimes portions of a binding handle. String bindings are convenient for representing portions of a binding handle, but they can't be used for making remote procedure calls. They must first be converted to a binding handle by calling the RpcBindingFromStringBinding routine. Additionally, a string binding does not contain all of the information from a binding handle. For example, the authentication information, if any, associated with a binding handle is not translated into the string binding returned by calling the RpcBindingToStringBinding routine. During the development of a distributed application, servers can communicate their binding information to clients using string bindings to establish a client-server relationship without using the endpoint-map database or name-service database. To establish such a relationship, use the function RpcBindingToStringBinding to convert one or more binding handles from a binding-handle vector to a string binding, and provide the string binding to the client.