_ _ _ _
((___)) ((___))
[ x x ] _ [ x x ]
\ / _ |_|_ _ _|_ _|_ |_ _ _| _ _. _| _ _ \ /
(' ') (_|_|| |_ (_) | |_ | |(/_ (_|(/_(_|(_| (_(_)\_/\_/ (' ')
(U) (U)
.ooM cDc communications .ooM
Remote Procedure Call
by Sir Dystic
A commonly overlooked area of security is Remote Procedure Call, possibly
because most people don't understand anything about it. RPCDUMP is a program
which provides console access to the RPC APIs in Windows. To use it, some
base understanding of the different pieces necessary to create an RPC
connection is required. Microsoft provides plenty of information about RPC.
c:\>rpcdump -?
rpcdump v0.92 - Questions, comments, bitches, and bugs to
sd@cultdeadcow.com
rpcdump [options] commands
commands: STAT - Get stats AUTH - Authenticate IAUTH - Inquire auth info
STOP - Stop server listening NAME - Get principle name VECS - Get vectors
ENUM - Enumerate endpoints
options: [-p protocol] [-u UUID] [-n netadr] [-e endpoint] [-o options]
[-s user] [-a password] [-d domain] [-i server principal name]
[-v auth service] [-l auth level] (used with AUTH)
Valid protocols and their endpoints are:
ncacn_nb_tcp* - Connection-oriented NetBIOS over TCP - 0-255
ncacn_nb_ipx* - Connection-oriented NetBIOS over IPX - 0-255
ncacn_nb_nb - Connection-oriented NetBIOS over NetBEUI - 0-255
ncacn_ip_tcp - Connection-oriented TCP/IP (default) - Port#
ncacn_np@ - Connection-oriented named pipes - \\pipe\pipename
ncacn_spx - Connection-oriented SPX - 1-65535
ncacn_vns_spp* - Vines SPP transport - Port# 250-511
ncadg_ip_udp*@ - Datagram (connectionless) UDP/IP - Port#
ncadg_ipx*@ - Datagram (connectionless) IPX - 1-65535
ncalrpc@ - Local procedure call - App/Service name
(* May only be available under NT)
(@ The 'Security' option is available, but only under NT)
The netadr for different protocols is specified as:
For _nb_ protocols - Windows machine name - myserver
For _ip_ protocols - IP address or host name - 12.34.56.78 hostname
For _np protocol - NT server name (\\ optional) - myhost \\somehost
For _spx/_ipx prot - IPX inet adr or NT server name - ~0000000108002B30612C
For _vns_ protocol - StreetTalk name item@group@org - print@docs@cdc
For ncalrpc - Machine name - mymachine
The Security option is specified in the form:
Security=id type bool
Values for id:
Anonymous - The client is anonymous to the server
Identification - The server has information about client but cannot impersonate
Impersonation - The server is the client on the client�s behalf
Values for type:
Dynamic - A pointer to the security token is maintained.
Static - Security settings associated with the endpoint represent a copy
of the security information at the time the endpoint was created.
The settings do not change.
Values for bool:
True - Effective = TRUE; only Windows NT security settings set to ON are
included in the token.
False - Effective = FALSE; all Windows NT security settings, including those
set to OFF, are included in the token.
The minimum info necessary to perform something like ENUM (enumerate remote
endpoints) is a network address, the format of which depends on the protocol you
are using. The default protocol is ncacn_ip_tcp, a tcp connection to a port
(default 135), the address of which would be the machine name or ip address.
Your rpc system may support even more protocols than are listed in the help.
The information produced by rpcdump may or may not actually be useful. One
thing missing is the ability to actually connect to the endpoints and exchange
data. Doing this usually requires knowing all the information about the endpoint
at compile time, and I'm looking at ways to do this dynamically. However, just
with the functionality included, many servers (especially web servers on the
internet) dump a ton of information, often including all the virtual IPs that
server is handling.
--------------------------------------------------
Get source here.
--------------------------------------------------
Here is some more information about the specific pieces that make up an rpc
connection. Much of this text is copyrighted by Microsoft:
Protocol Sequence
Specifies a character string that represents a valid combination of an
RPC protocol (such as "ncacn"), a transport protocol (such as "tcp"),
and a network protocol (such as "ip").
Microsoft RPC supports the following protocol sequences:
Protocol sequence Description Supporting Platforms
ncacn_nb_tcp Connection-oriented NetBIOS over TCP client only: MS-DOS, Windows 3.x
client and server: Windows NT
ncacn_nb_ipx Connection-oriented NetBIOS over IPX client only: MS-DOS, Windows 3.x
client and server: Windows NT
ncacn_nb_nb Connection-oriented NetBEUI client only: MS-DOS, Windows 3.x
client and server: Windows NT, Windows 95
ncacn_ip_tcp Connection-oriented TCP/IP client only: MS-DOS,Windows 3.x, and Apple Macintosh
client and server: Windows 95 and Windows NT
ncacn_np Connection-oriented named pipes client only: MS-DOS, Windows 3.x, Windows 95
client and server: Windows NT
ncacn_spx Connection-oriented SPX client only: MS-DOS, Windows 3.x
client and server: Windows NT, Windows 95
ncacn_dnet_nsp Connection-oriented DECnet transport client only: MS-DOS, Windows 3.x
ncacn_at_dsp AppleTalk DSP client: Apple Macintosh
server: Windows NT
ncacn_vns_spp Connection-oriented Vines SPP transport client only: MS-DOS, Windows 3.x
client and server: Windows NT
ncadg_ip_udp Datagram (connectionless) UDP/IP client only: MS-DOS, Windows 3.x
client and server: Windows NT
ncadg_ipx Datagram (connectionless) IPX client only: MS-DOS, Windows 3.x
client and server: Windows NT
ncalrpc Local procedure call client and server: Windows NT and Windows 95
NetworkAddress
Specifies the network address of the system to receive remote procedure
calls.
The format and content of the network address depend on the specified
protocol sequence as follows:
Protocol sequence Network address Examples
ncacn_nb_tcp Windows NT machine name myserver
ncacn_nb_ipx Windows NT machine name myserver
ncacn_nb_nb Windows NT or Windows 95 machine name myserver
ncacn_ip_tcp four-octet internet address, or host name 128.10.2.30
anynode.microsoft.com
ncacn_np Windows NT server name \\myotherserver
(leading double backslashes are optional) myserver
ncacn_spx IPX internet address, or Windows NT server name ~0000000108002B30612C
myserver
ncacn_dnet_nsp Area and node syntax 4.120
ncacn_at_dsp Windows NT machine name, optionally followed by servername@zonename
@ and the AppleTalk zone name. Defaults to @*, servername
the client’s zone, if no zone provided
ncacn_vns_spp StreetTalk server name of the form printserver@sdkdocs@microsoft
item@group@organization
ncadg_ip_udp four-octet internet address, or host name 128.10.2.30
anynode.microsoft.com
ncadg_ipx IPX internet address, or Windows NT server name ~0000000108002B30612C
myserver
ncalrpc Machine name thismachine
The network-address field is optional. When you do not specify a network
address, the string binding refers to your local host. It is possible to
specify the name of the local machine when you use the ncalrpc protocol
sequence, however doing so is completely unnecessary.
Endpoint
Specifies the endpoint, or address, of the process to receive remote
procedure calls. An endpoint can be preceded by the keyword endpoint=.
Specifying the endpoint is optional if the server has registered its
bindings with the endpoint mapper. See RpcEpRegister. The format and
content of an endpoint depend on the specified protocol sequence as shown
in the Endpoint/Option Table, below.
Option
Specifies protocol-specific options.. The option field is not required.
Each option is specified by a {name, value} pair that uses the syntax
option name=option value. Options are defined for each protocol sequence
as shown in the Endpoint/Option Table, below.
Protocol sequence Endpoint Examples Option name
ncacn_nb_tcp Integer between 0 and 255. 100 None
Many values between 0 and 32
are reserved by Microsoft.
ncacn_nb_ipx (as above) (as above) None
ncacn_nb_nb (as above) (as above) None
ncacn_ip_tcp Internet port number 1025 None
ncacn_np Windows NT named pipe. \\pipe\\pipename Security
Name must start with "\\pipe". (NT only)
ncacn_spx Integer between 1 and 65535. 5000 None
ncacn_dnet_nsp DECnet phase IV object number mailserver None
(must be preceded by the # #17
character), or object name
ncacn_at_dsp A character string, myservicesendpoint None
up to 22 bytes long
ncacn_vns_spp Vines SPP port number 500 None
between 250 and 511
ncadg_ip_udp Internet port number 1025 Security (32-bit only)
ncadg_ipx Integer between 1 and 65535. 5000 Security (32-bit only)
ncalrpc String specifying application my_printer Security
or service name. The string (NT only)
cannot include any backslash
characters.
The Security option name, supported for the ncalrpc, ncacn_np,
ncadg_ip_udp, and ncadg_ipx protocol sequences, takes the following
option values:
Option name Option value
Security {identification | anonymous | impersonation}
{dynamic | static} {true | false}
If the Security option name is specified, one entry from each of the sets
of Security option values must also be supplied. The option values must
be separated by a single-space character. For example, the following
Option fields are valid:
Security=identification dynamic true
Security=impersonation static true
The Security option values have the following meanings:
Security option value Description
Anonymous The client is anonymous to the server.
Dynamic A pointer to the security token is maintained.
Security settings represent current settings and
include changes made after the endpoint was
created.
False Effective = FALSE; all Windows NT security
settings, including those set to OFF, are included
in the token.
Identification The server has information about client but cannot
impersonate.
Impersonation The server is the client on the client's behalf.
Static Security settings associated with the endpoint
represent a copy of the security information at
the time the endpoint was created. The settings do
not change.
True Effective = TRUE; only Windows NT security
settings set to ON are included in the token.
For more information about Microsoft Windows NT security options, see
your Microsoft Windows NT programming documentation.
Remarks
The string binding is an unsigned character string composed of strings
that represent the binding object UUID, the RPC protocol sequence, the
network address, and the endpoint and endpoint options. White space is
not allowed in string bindings except where required by the Option
syntax.
Default settings for the NetworkAddress, Endpoint, and Option fields
vary according to the value of the ProtocolSequence field.
For all string-binding fields, a single backslash character (\) is
interpreted as an escape character. To specify a single literal backslash
character, you must supply two backslash characters (\\).
The following are examples of valid string bindings. In these examples,
obj-uuid is used for convenience to represent a valid UUID in string
form. Instead of showing the UUID 308FB580-1EB2-11CA-923B-08002B1075A7,
the examples show obj-uuid.
obj-uuid@ncacn_ip_tcp:16.20.16.27[2001]
obj-uuid@ncacn_ip_tcp:16.20.16.27[endpoint=2001]
obj-uuid@ncacn_nb_nb:
obj-uuid@ncacn_nb_nb:[100]
obj-uuid@ncacn_np:
obj-uuid@ncacn_np:[\\pipe\\p3,Security=impersonation static true]
obj-uuid@ncacn_np:\\\\marketing[\\pipe\\p2\\p3\\p4]
obj-uuid@ncacn_np:\\\\marketing[endpoint=\\pipe\\p2\\p3\\p4]
obj-uuid@ncacn_np:\\\\sales
obj-uuid@ncacn_np:\\\\sales[\\pipe\\p1,Security=identification dynamic true]
obj-uuid@ncalrpc:
obj-uuid@ncalrpc:[object1_name_demonstrating_that_these_can_be_lengthy]
obj-uuid@ncalrpc:[object2_name,Security=anonymous static true]
obj-uuid@ncacn_vns_spp:server@group@org[500]
obj-uuid@ncacn_dnet_nsp:took[elf_server]
obj-uuid@ncacn_dnet_nsp:took[endpoint=elf_server]
obj-uuid@ncadg_ip_udp:128.10.2.30
obj-uuid@ncadg_ip_udp:maryos.microsoft.com[1025]
obj-uuid@ncadg_ipx: ~0000000108002B30612C[5000]
obj-uuid@ncadg_ipx:printserver
obj-uuid@ncacn_spx:annaw[4390]
obj-uuid@ncacn_spx:~0000000108002B30612C
A string binding contains the character representation of a binding
handle and sometimes portions of a binding handle. String bindings are
convenient for representing portions of a binding handle, but they can't
be used for making remote procedure calls. They must first be converted
to a binding handle by calling the RpcBindingFromStringBinding routine.
Additionally, a string binding does not contain all of the information
from a binding handle. For example, the authentication information, if
any, associated with a binding handle is not translated into the string
binding returned by calling the RpcBindingToStringBinding routine.
During the development of a distributed application, servers can
communicate their binding information to clients using string bindings
to establish a client-server relationship without using the endpoint-map
database or name-service database. To establish such a relationship, use
the function RpcBindingToStringBinding to convert one or more binding
handles from a binding-handle vector to a string binding, and provide the
string binding to the client.