Scribd
Upload
101 views

Fingerprinting Through RPC: Hidenobu Seki

This document discusses using RPC to gather information from Windows systems without authentication. It describes how Portqry can be used to identify RPC interface IDs and endpoints, providing fingerprints of services running on a system. Interface IDs remain consistent across different Windows versions, allowing remote identification of services. Dynamic binding allows querying RPC endpoints and services without authentication.

Uploaded by

Finoit Survey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
101 views

Fingerprinting Through RPC: Hidenobu Seki

This document discusses using RPC to gather information from Windows systems without authentication. It describes how Portqry can be used to identify RPC interface IDs and endpoints, providing fingerprints of services running on a system. Interface IDs remain consistent across different Windows versions, allowing remote identification of services. Dynamic binding allows querying RPC endpoints and services without authentication.

Uploaded by

Finoit Survey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 61

Fingerprinting Through RPC

Hidenobu Seki
[email protected]
Agenda
l Information gathering for RPC troubleshooting
l Microsoft RPC
l Interface IDs of Windows RPC services
l Info gathering without authentication using RPC
l Online password cracking using RPC

Black Hat Windows Security 2004


Agenda
l Information gathering for RPC troubleshooting
l Microsoft RPC
l Interface IDs of Windows RPC services
l Info gathering without authentication using RPC
l Online password cracking using RPC

Black Hat Windows Security 2004


Microsoft Portqry
l Reports the status of target TCP/UDP
ports on a remote computer.
l Knows how to send a query to the RPC
endpoint mapper.

l For more information, refer to KB832919

Black Hat Windows Security 2004


Portqry for Active Directory
l UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30
NTDS Backup Interface
ncacn_np:\\\\MYDC[\\PIPE\\lsass]
l UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30
NTDS Restore Interface
ncacn_np:\\\\MYDC[\\PIPE\\lsass]
l UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2
MS NT Directory DRS Interface
ncacn_ip_tcp:169.254.0.18[1027]
l UUID: f5cc59b4-4264-101a-8c59-08002b2f8426
NtFrs Service
ncacn_ip_tcp:169.254.0.18[1130]

from Microsoft KB310456(=KB816103)

Black Hat Windows Security 2004


Portqry for Exchange Server
l UUID: f5cc5a18-4264-101a-8c59-08002b2f8426
MS Exchange Directory NSPI Proxy
ncacn_http:169.254.112.100[1444]
l UUID: 9e8ee830-4459-11ce-979b-00aa005ffebe
MS Exchange MTA 'Mta' Interface
ncacn_np:\\\\mymailsrv[\\pipe\\00000bbc.000]
l UUID: 9e8ee830-4459-11ce-979b-00aa005ffebe
MS Exchange MTA 'Mta' Interface
ncacn_ip_tcp:169.254.112.100[2168]
l UUID: 99e64010-b032-11d0-97a4-00c04fd6551d
Exchange Server STORE ADMIN
ncadg_ip_udp:169.254.112.100[2174]

from Microsoft KB310298

Black Hat Windows Security 2004


Annotation
l UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2
MS NT Directory DRS Interface
ncacn_ip_tcp:169.254.0.18[1027]
l UUID: 99e64010-b032-11d0-97a4-00c04fd6551d
Exchange Server STORE ADMIN
ncadg_ip_udp:169.254.112.100[2174]

Black Hat Windows Security 2004


Endpoint
l UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30
NTDS Backup Interface
ncacn_np:\\\\MYDC[\\PIPE\\lsass]
l UUID: f5cc5a18-4264-101a-8c59-08002b2f8426
MS Exchange Directory NSPI Proxy
ncacn_http:169.254.112.100[1444]

Black Hat Windows Security 2004


RPC network protocols
l ncacn_ip_tcp
l ncadg_ip_udp
l ncacn_np
l ncalrpc
l ncacn_http

Black Hat Windows Security 2004


LPC port name or Named Pipe name
l ncalrpc:[SMTPSVC_LPC]
l ncacn_np:\\\\WSRV[\\PIPE\\NNTPSVC]

Black Hat Windows Security 2004


Interface ID
l UUID: f5cc59b4-4264-101a-8c59-08002b2f8426
NtFrs Service
ncacn_ip_tcp:169.254.0.18[1130]
l UUID: 9e8ee830-4459-11ce-979b-00aa005ffebe
MS Exchange MTA 'Mta' Interface
ncacn_ip_tcp:169.254.112.100[2168]

Black Hat Windows Security 2004


Interface ID
l Interface ID is expressed as Universally
Unique IDentifier
l Is useful for fingerprinting
l Interface has version number
l RPC service may have more than one
interface ID

Black Hat Windows Security 2004


Agenda
l Information gathering for RPC troubleshooting
l Microsoft RPC
l Interface IDs of Windows RPC services
l Info gathering without authentication using RPC
l Online password cracking using RPC

Black Hat Windows Security 2004


Microsoft RPC
l Enables data exchange and invocation of
functionality between different processes
– on the same machine
– on the local area network
– across the Internet
l Is an extension to OSF-DCE RPC

Black Hat Windows Security 2004


RPC defined
l Operation: Procedure
l Interface: Group of Operations
l Service: Provides Interfaces
l Endpoint: Where Service is
l Endpoint map: List of Endpoints
l Endpoint mapper: Supports dynamic
binding to Services

Black Hat Windows Security 2004


RPC traffic over TCP
bind <interface>
bind ack

request <operation>

response

Client request <operation> Server

response

Black Hat Windows Security 2004


Operations of AT service
l Submit a task
– JobAdd
l Cancel one or more scheduled tasks
– JobDel
l View scheduled tasks
– JobEnum
l Get information of a scheduled task
– JobGetInfo

Black Hat Windows Security 2004


AT service
l Operations: JobAdd,JobDel,JobEnum,JobGetInfo
l Op. No.: 0, 1, 2, 3
l Interface: AT service
l Interface ID: 1ff70682-0a51-30e8-076d-740be8cee98b
l Service: Task Scheduler
l Endpoint: ncacn_ip_tcp:192.168.0.101[1025]

Black Hat Windows Security 2004


Submit a task, get information
bind [1ff70682-0a51-...]
bind ack

request [0]

response

Client request [3] Server

response

Black Hat Windows Security 2004


Dynamic binding
bind <Endpoint mapper>
bind ack Port 135
request <Map>
response with endpoint map

bind <AT service> Server


bind ack
Client request <JobAdd> Port 1025
response

Black Hat Windows Security 2004


Dynamic binding over UDP

request <interface+operation>
UDP Port 135

response Server
request <interface+operation>
Client UDP Port 1026
response

Black Hat Windows Security 2004


Agenda
l Information gathering for RPC troubleshooting
l Microsoft RPC
l Interface IDs of Windows RPC services
l Info gathering without authentication using RPC
l Online password cracking using RPC

Black Hat Windows Security 2004


Interface IDs of RPCSS
l e1af8308-5d1f-11c9-91a4-08002b14a0fa
l 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b
l e60c73e6-88f9-11cf-9af1-0020af6e72f4
l 99fcfec4-5260-101b-bbcb-00aa0021347a
l b9e79e60-3d52-11ce-aaa1-00006901293f
l 412f241e-c12a-11ce-abff-0020af6e7a17
l 00000136-0000-0000-c000-000000000046
l 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
l 975201b0-59ca-11d0-a8d5-00a0c90d8051
l c6f3ee72-ce7e-11d1-b71e-00c04fc3111a
l 000001a0-0000-0000-c000-000000000046
l 1d55b526-c137-46c5-ab79-638f2a68e869

Black Hat Windows Security 2004


Interface IDs of RPCSS
l e1af8308-5d1f-11c9-91a4-08002b14a0fa
– Endpoint Mapper
l 99fcfec4-5260-101b-bbcb-00aa0021347a
– IOXIDResolver
l 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
– IRemoteActivation
l 00000136-0000-0000-c000-000000000046
– ISCMLocalActivator
l 000001a0-0000-0000-c000-000000000046
– ISystemActivator

Black Hat Windows Security 2004


Windows NT 4.0
l e1af8308-5d1f-11c9-91a4-08002b14a0fa
l 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b
– Version 1.0
l e60c73e6-88f9-11cf-9af1-0020af6e72f4
l 99fcfec4-5260-101b-bbcb-00aa0021347a
l b9e79e60-3d52-11ce-aaa1-00006901293f
l 412f241e-c12a-11ce-abff-0020af6e7a17
l 00000136-0000-0000-c000-000000000046
l 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
l 975201b0-59ca-11d0-a8d5-00a0c90d8051
– NT, 2000

Black Hat Windows Security 2004


Windows 2000
l e1af8308-5d1f-11c9-91a4-08002b14a0fa
l 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b
– Version 1.1
l e60c73e6-88f9-11cf-9af1-0020af6e72f4
l 99fcfec4-5260-101b-bbcb-00aa0021347a
l b9e79e60-3d52-11ce-aaa1-00006901293f
l 412f241e-c12a-11ce-abff-0020af6e7a17
l 00000136-0000-0000-c000-000000000046
l 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
l 975201b0-59ca-11d0-a8d5-00a0c90d8051
– NT, 2000
l c6f3ee72-ce7e-11d1-b71e-00c04fc3111a
– 2000, XP, 2003
l 000001a0-0000-0000-c000-000000000046
– 2000, XP, 2003

Black Hat Windows Security 2004


Windows XP, 2003
l e1af8308-5d1f-11c9-91a4-08002b14a0fa
l 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b
– Version 1.1
l e60c73e6-88f9-11cf-9af1-0020af6e72f4
l 99fcfec4-5260-101b-bbcb-00aa0021347a
l b9e79e60-3d52-11ce-aaa1-00006901293f
l 412f241e-c12a-11ce-abff-0020af6e7a17
l 00000136-0000-0000-c000-000000000046
l 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
l c6f3ee72-ce7e-11d1-b71e-00c04fc3111a
– 2000, XP, 2003
l 000001a0-0000-0000-c000-000000000046
– 2000, XP, 2003
l 1d55b526-c137-46c5-ab79-638f2a68e869
– XP, 2003

Black Hat Windows Security 2004


NT 4.0 Service Pack 4
l DNS server
– aae9ac90-ce13-11cf-919e-08002be23c64
– d7f9e1c0-2247-11d1-ba89-00c04fd91268
l WINS server
– 45f52c28-7f9f-101a-b52b-08002b2efabe
– 811109bf-a4e1-11d1-ab54-00a0c91e9b45

Black Hat Windows Security 2004


DNS server
l Windows NT 4.0 SP4 or later
– aae9ac90-ce13-11cf-919e-08002be23c64
– d7f9e1c0-2247-11d1-ba89-00c04fd91268
l Windows 2000, 2003
– 50abc2a4-574d-40b3-9d66-ee4fd5fba076

Black Hat Windows Security 2004


NT 4.0 with IIS 2.0, 3.0
l World Wide Web Publishing Service
– 53e75790-d96b-11cd-ba18-08002b2dfead
l FTP Publishing Service
– 5c89f409-09cc-101a-89f3-02608c4d2361
l Gopher Publishing Service
– 04fcb220-fcfd-11cd-bec8-00aa0047ae4e

Black Hat Windows Security 2004


NT 4.0 with IE 5.01
l Task Scheduler
– 1ff70682-0a51-30e8-076d-740be8cee98b
– 378e52b0-c0a9-11cf-822d-00aa0051e40f

Black Hat Windows Security 2004


Task Scheduler
l Windows NT 4.0, 2000
– 1ff70682-0a51-30e8-076d-740be8cee98b
– 378e52b0-c0a9-11cf-822d-00aa0051e40f
l Windows XP, 2003
– 1ff70682-0a51-30e8-076d-740be8cee98b
– 378e52b0-c0a9-11cf-822d-00aa0051e40f
– 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53

Black Hat Windows Security 2004


SMTP service of IIS
l IIS 4.0 (NT)
– 8cfb5d70-31a4-11cf-a7d8-00805f48a135
l IIS 5.0 or later (2000, XP, 2003)
– 8cfb5d70-31a4-11cf-a7d8-00805f48a135
– 906b0ce0-c70b-1067-b317-00dd010662da

Black Hat Windows Security 2004


DHCP server
l Windows NT 4.0
– 6bffd098-a112-3610-9833-46c3f874532d
l Windows 2000, 2003
– 6bffd098-a112-3610-9833-46c3f874532d
– 5b821720-f63b-11d0-aad2-00c04fc324db

Black Hat Windows Security 2004


Message Queuing service
l 2000, XP, 2003
– fdb3a030-065f-11d1-bb9b-00a024ea5525
– 76d12b80-3467-11d3-91ff-0090272f9ea3
– 1088a980-eae5-11d0-8d9b-00a02453c337
– 41208ee0-e970-11d1-9b9e-00e02c064c39
l 2000
– 5b5b3580-b0e0-11d1-b92d-0060081e87f0
l XP
– 5b5b3580-b0e0-11d1-b92d-0060081e87f0
– 7e048d38-ac08-4ff1-8e6b-f35dbab88d4a
– fc13257d-5567-4dea-898d-c6f9c48415a0
l 2003
– fc13257d-5567-4dea-898d-c6f9c48415a0
– 1a9134dd-7b39-45ba-ad88-44d01ca47f28
Black Hat Windows Security 2004
SQL Server 7.0, 2000
l Interface ID
– 3f99b900-4d87-101b-99b7-aa0004007f07
l SQL Server 2000
– Multiprotocol Net-Library using RPC is not
installed by default

Black Hat Windows Security 2004


Messenger Service
l Used to have two IDs
1. 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
– Removed by MS03-043 patch
– ncalrpc:[DNSResolver]
» Windows 2000 Service Pack 3, 4 installed
2. 17fdd703-1827-4e34-79d4-24a55c53bb37

Black Hat Windows Security 2004


XP Service Pack 1
l SSDP Discovery service
– 4b112204-0e19-11d3-b42b-0000f81feb9f
– svchost.exe -k LocalService
– After local logon

l “System Services for the Windows Server 2003


Family and Windows XP Operating Systems”
on Microsoft TechNet

Black Hat Windows Security 2004


XP with SP1: Home or Professional
l Remote Registry Service
– Installed in XP Professional only
– ncacn_np:\\\\FOO[\\PIPE\\winreg]

Black Hat Windows Security 2004


Identifying Interface IDs
of RPC services
l Start/Stop Service
l Fport or netstat -ano
– Match TCP/UDP port of endpoint to process
l Search ID in Registry
– HKEY_CLASSES_ROOT\Interface
l Search ID in binary files
l Google

Black Hat Windows Security 2004


UUID in EXE/DLL files
l 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
l f8917b5a 00ff d011 a9b2 00c04fb6e6fc
– unsigned long
– unsigned short
– unsigned short
– unsigned char [2]
– unsigned char [6]

Black Hat Windows Security 2004


Interface IDs and Operations
of RPC services over SMB
l Samba IDL files
http://www.samba.org/
cgi-bin/cvsweb/samba4/source/librpc/idl/

Black Hat Windows Security 2004


More Interface IDs, Operations,
etc.
l “Windows network services internals”
by Jean-Baptiste Marchand
http://www.hsc.fr/
ressources/articles/win_net_srv/index.html.en

Black Hat Windows Security 2004


Agenda
l Information gathering for RPC troubleshooting
l Microsoft RPC
l Interface IDs of Windows RPC services
l Info gathering without authentication using RPC
l Online password cracking using RPC

Black Hat Windows Security 2004


XP, 2003: svchost.exe –k netsvcs
6to4, AppMgmt, AudioSrv, Browser, CryptSvc,
DMServer, DHCP, ERSvc, EventSystem,
FastUserSwitchingCompatibility, HidServ, Ias, Iprip,
Irmon, LanmanServer, LanmanWorkstation,
Messenger, Netman, Nla, Ntmssvc,
NWCWorkstation, Nwsapagent, Rasauto, Rasman,
Remoteaccess, Schedule, Seclogon, SENS,
Sharedaccess, SRService, Tapisrv, Themes, TrkWks,
W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt,
TermService, wuauserv, BITS, ShellHWDetection,
helpsvc, Uploadmgr, WmdmPmSN

Black Hat Windows Security 2004


Exposed interfaces

Black Hat Windows Security 2004


XP, 2003: Using exposed interface
of Server service
l RemoteTOD
– Get time and date information
– Without authentication
l ServerGetInfo
– Get server name, type and OS version
» Domain Controller, SQL Server, Terminal Server
– With null user and null password authentication
l ShareEnum
– Get information about all shared resource
– With null user and null password authentication
Black Hat Windows Security 2004
XP: Using exposed interface
l SessionEnum (Server service)
– Get information about all users logged on
remotely
– With null user and null password
authentication
l WkstaUserEnum (Workstation service)
– Get information about all users logged on
locally
– Without authentication
Black Hat Windows Security 2004
Using exposed interface
l Demo

Black Hat Windows Security 2004


Gathering RPC information
without endpoint map
.
1 Do a port scan
.
2 Send “is_server_listening”
– Ask whether a server is listening for RPC
.
3 Send “inq_if_ids”
– Inquire all interface IDs of the service

Black Hat Windows Security 2004


Remote Management Interface
l Is implemented by all RPC services in an
interoperable manner
l No need for authentication using RMI
operations
l afa8bd80-7d8a-11c9-bef4-08002b102989

l Operation No.0 = inq_if_ids


l Operation No.2 = is_server_listening
Black Hat Windows Security 2004
XP Service Pack 2
l RPC interface restriction through user
authentication
l Strong possibility of RMI being restricted

Black Hat Windows Security 2004


Agenda
l Information gathering for RPC troubleshooting
l Microsoft RPC
l Interface IDs of Windows RPC services
l Info gathering without authentication using RPC
l Online password cracking using RPC

Black Hat Windows Security 2004


Online password cracking
l Need the following information
– Interface IDs
– Operations and arguments
– Results, such as type of errors

Black Hat Windows Security 2004


Even if the information is unavailable

l Use Remote Management Interface


– With authentication !
– Send “is_server_listening”
– Error status of access denied is 0x05

Black Hat Windows Security 2004


Online password cracking
l Demo

Black Hat Windows Security 2004


When the password is cracked
l Schedule commands through AT service
l Demo
– ncacn_ip_tcp:192.168.0.101[1025]

Black Hat Windows Security 2004


Well-known endpoint dump tools
with source code
l rpcdump by Sir Dystic [cDc]
l rpctools by Todd Sabin
l dcedump in SPIKE by Dave Aitel

Black Hat Windows Security 2004


RpcScan by Urity
l Released June 2003
l No new dump techniques
l Over 10,000 downloads last year

Black Hat Windows Security 2004


Summary
l Interface IDs of Windows RPC services
l Info gathering without authentication
using RPC
l Online password cracking using RPC

Black Hat Windows Security 2004


Special thanks to Sir Dystic [cDc]

You might also like