msrpc auditing tools and techniques
play

MSRPC Auditing Tools and Techniques DeepSec 2007 Aaron Portnoy 1 - PowerPoint PPT Presentation

Nov 11, 2023 •472 likes •779 views

Background MSRPC RPC Tools What Weve Done Examples Questions MSRPC Auditing Tools and Techniques DeepSec 2007 Aaron Portnoy 1 Cody Pierce 2 1 aportnoy@tippingpoint.com 2 cpierce@tippingpoint.com DeepSec Fall 2007 Portnoy, Pierce MSRPC

  1. Background MSRPC RPC Tools What We’ve Done Examples Questions MSRPC Auditing Tools and Techniques DeepSec 2007 Aaron Portnoy 1 Cody Pierce 2 1 aportnoy@tippingpoint.com 2 cpierce@tippingpoint.com DeepSec Fall 2007 Portnoy, Pierce MSRPC Auditing Tools and Techniques

  2. Background MSRPC Introduction RPC Tools Why Do We Care About MSRPC in 2007? What We’ve Done History of MSRPC Issues Examples Questions About Us Work at TippingPoint’s Digital Vaccine Labs Responsible for vuln-dev, patch analysis, pen-testing Keep tabs on us at http://dvlabs.tippingpoint.com Authors and contributors to: Sulley Fuzzing Framework PyEmu x86 Emulator PaiMei Reverse Engineering Framework Portnoy, Pierce MSRPC Auditing Tools and Techniques

  3. Background MSRPC Introduction RPC Tools Why Do We Care About MSRPC in 2007? What We’ve Done History of MSRPC Issues Examples Questions Talk Outline Background Why do we care about MSRPC in 2007? History of MSRPC Issues and Mitigations How it Works RPC Tools Existing Tools Problems Auditing Locating MSRPC Services Talking to MSRPC Services What We’ve Done Our Toolset Demos Portnoy, Pierce MSRPC Auditing Tools and Techniques

  4. Background MSRPC Introduction RPC Tools Why Do We Care About MSRPC in 2007? What We’ve Done History of MSRPC Issues Examples Questions Why do we care about MSRPC in 2007? Simple bugs are still turning up MS07-029 Vulnerability in Windows DNS RPC Interface MS06-070 Vulnerability in Workstation Service MS06-066 Vulnerabilities in Client Service for NetWare MS06-040 Vulnerability in Server Service MS06-025 Vulnerability in Routing and Remote Access 3rd parties still implement obscenely unsafe RPC services Computer Associates (BrightStor Message/Tape Engine Many MSRPC services haven’t been fully audited Trying to audit 3rd party RPC is still tedious Takes longer to get the NDR correct than to find bugs Portnoy, Pierce MSRPC Auditing Tools and Techniques

  5. Background MSRPC Introduction RPC Tools Why Do We Care About MSRPC in 2007? What We’ve Done History of MSRPC Issues Examples Questions History of MSRPC MSRPC Vulnerabilities Some DoS bugs as far back as 1998 MS00-066 Malformed RPC Packet Vulnerability MS03-026 Buffer Overrun In RPC Interface (Blaster Worm) MS04-031 Vulnerability in NetDDE MS05-047 Vulnerability in Plug and Play MS07-029 Vulnerability in Windows DNS RPC Interface ad nauseam Other Issues Interface hopping, NULL sessions Some Architectual Mitigations Named pipe firewalls NULL session restrictions Portnoy, Pierce MSRPC Auditing Tools and Techniques

  6. Background MSRPC Introduction RPC Tools Why Do We Care About MSRPC in 2007? What We’ve Done History of MSRPC Issues Examples Questions Current Issues Despite architectual changes to MSRPC 3rd parties still do bad things.. often Examples Google for ’CA brightstor rpc vulnerability’ (32,600 hits currently) Samba’s recent heap overflows Novell Client Print Services RPC Stack Overflows Portnoy, Pierce MSRPC Auditing Tools and Techniques

  7. Background MSRPC RPC Tools MSRPC Breakdown What We’ve Done MSRPC Problems Examples Questions MSRPC - Why it was developed Client/Server model for remotely calling functions as if they were local Microsoft forked off from the DCE standard MSRPC has support for Unicode strings, more complex size calculations, interface inheritance Some Microsoft services that utilize MSRPC Print Services Message Queuing DNS Exchange Distributed File System Workstation Services Portnoy, Pierce MSRPC Auditing Tools and Techniques

  8. Background MSRPC RPC Tools MSRPC Breakdown What We’ve Done MSRPC Problems Examples Questions MSRPC - How it Works UUIDs UUIDS are unique identifiers for a given interface Stubs Allow for a client to call a function in the stub locally but have it executed remotely midl.exe from Microsoft generates these IDL Files Defines the interfaces, structures, functions and their arguments Structures Unions Opcodes (functions) Portnoy, Pierce MSRPC Auditing Tools and Techniques

  9. Background MSRPC RPC Tools MSRPC Breakdown What We’ve Done MSRPC Problems Examples Questions MSRPC - How it Works (cont.) Communication (endpoints) TCP UDP SMB (remote named pipes) local named pipes HTTP Other more obscure protocols... The endpoint mapper (EPM) Query the endpoint mapper to determine port information for a given UUID Only works if the service registers itself with the EPM Portnoy, Pierce MSRPC Auditing Tools and Techniques

  10. Background MSRPC RPC Tools MSRPC Breakdown What We’ve Done MSRPC Problems Examples Questions MSRPC - Binaries RPC information is stored in the binaries using the following important data and structures Format String Defines the parameter, data structures, and return values pulled from the IDL RPC SERVER INTERFACE structure the TransferSyntax element defines the UUID the InterpreterInfo element points to the MIDL SERVER INFO structure MIDL SERVER INFO DispatchTable element points to the opcode handler functions Portnoy, Pierce MSRPC Auditing Tools and Techniques

  11. Background MSRPC RPC Tools MSRPC Breakdown What We’ve Done MSRPC Problems Examples Questions Problems Auditing RPC First Steps Locating the module that defines the server Could be in the main EXE or any loaded DLLs Retrieving IDL information Sometimes the tools used return incomplete information Determining pipe names Often requires reversing the binary in IDA 3rd party tools can aid in this Determining authentication requirements Portnoy, Pierce MSRPC Auditing Tools and Techniques

  12. Background MSRPC RPC Tools MSRPC Breakdown What We’ve Done MSRPC Problems Examples Questions Problems Auditing RPC Creating the request NDR marshalling is complicated If you are one byte off, communication will likely fail Communicating with the server Unmarshalling problems Bad Stub Data Debugging this error can be very trying Domain or computer name requirements Some services validate these and will bail if not correct Portnoy, Pierce MSRPC Auditing Tools and Techniques

  13. Background MSRPC RPC Tools RPC Tools What We’ve Done Examples Questions RPC Tools unmidl.py Written by Dave Aitel Hi, Dave Based off muddle, retrieves IDL information from the format strings in the binaries Better handles complex objects http://www.immunitysec.com/resources-freesoftware.shtml Portnoy, Pierce MSRPC Auditing Tools and Techniques

  14. Background MSRPC RPC Tools RPC Tools What We’ve Done Examples Questions RPC Tools mIDA MIDL Analyzer for IDA Written and maintained by Tenable Security IDApython script Also pulls out IDL information from binaries http://cgi.tenablesecurity.com/tenable/mida.php Portnoy, Pierce MSRPC Auditing Tools and Techniques

  15. Background MSRPC RPC Tools RPC Tools What We’ve Done Examples Questions RPC Tools rpcdump Many tools by this name Microsoft CORE Security Sir Dystic Tool for enumerating endpoint information Queries the endpoint mapper ifids Dumps interface information given a protocol sequence and a host Portnoy, Pierce MSRPC Auditing Tools and Techniques

  16. Background MSRPC Framework Components RPC Tools The Process What We’ve Done Why this is useful Examples Supplementary Tools Questions Toolset Components PyMSRPC consists of the following components Lexer and Parser Allows us to skip the process of rewriting mIDA or unmidl A library of NDR objects Defines marshalling information for NDR types Allows for retrieval of the on-the-wire bytestream Utlizes Impacket from CORE for transport We extend it’s functionality to support context handle communication Tie-ins for the Sulley Fuzzing Framework Allows you to fuzz RPC services parsed by PyMSRPC Portnoy, Pierce MSRPC Auditing Tools and Techniques

  17. Background MSRPC Framework Components RPC Tools The Process What We’ve Done Why this is useful Examples Supplementary Tools Questions Using PyMSRPC You simply provide an IDL file You will be returned: Instantiated, linked python objects for each: UUID Opcode Structure Union Array You can then populate them with data (optionally) and instantly communicate with the server PyMSRPC takes a couple of seconds to parse the largest Microsoft IDL (2000 lines) and give you these objects Portnoy, Pierce MSRPC Auditing Tools and Techniques

  18. Background MSRPC Framework Components RPC Tools The Process What We’ve Done Why this is useful Examples Supplementary Tools Questions Why is this useful? You no longer have to worry about the complicated and error prone marshalling process See next slide You can immediately communicate and audit an RPC service Portnoy, Pierce MSRPC Auditing Tools and Techniques

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand your teams skills and training needs. Agenda Introduction The idea explained Round 1: Card sorting techniques Round 2: Visualising

370 views • 10 slides
OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega

OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega

OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega @jmortegac http://jmortega.github.io https://github.com/jmortega/osint_tools_security_auditing Agenda OSINT introduction Server

743 views • 62 slides
Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst Frankenberger University of Applied Sciences Lbeck SG 4: Auditing - Lbeck 16.09.2002 1 Remarks on Auditing, Regulatory Auditing and Regulatory

305 views • 16 slides
Cyber@UC Meeting 64 Wireless Auditing and Monitoring Tools If Youre New! Join our Slack:

Cyber@UC Meeting 64 Wireless Auditing and Monitoring Tools If Youre New! Join our Slack:

Cyber@UC Meeting 64 Wireless Auditing and Monitoring Tools If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of our committees:

503 views • 15 slides
Auditing Derivatives and Hedge Contracts Under ASC 815, 820 and Other Guidance Mastering Key

Auditing Derivatives and Hedge Contracts Under ASC 815, 820 and Other Guidance Mastering Key

Auditing Derivatives and Hedge Contracts Under ASC 815, 820 and Other Guidance Mastering Key Challenges and Analysis Techniques for Swaps, Options and Other Financial Instruments TUESDAY, FEBRUARY 25, 2014, 1:00-2:50 pm Eastern IMPORTANT

682 views • 54 slides
Ti e Voice of Reason We have all of these tools and techniques, but are we any better?

Ti e Voice of Reason We have all of these tools and techniques, but are we any better?

And Ti e Voice of Reason We have all of these tools and techniques, but are we any better? PRESENT Modern Software Development Anti-Patterns Reconciliation by Scot A Harvest Note the lack of flu fg y animals in this talk - that's right

349 views • 34 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
3 Tools & 3 Techniques in PG Estate Planning Council of SW Washington (sponsored by the Clark

3 Tools & 3 Techniques in PG Estate Planning Council of SW Washington (sponsored by the Clark

3 Tools & 3 Techniques in PG Estate Planning Council of SW Washington (sponsored by the Clark College Foundation) October 2015 Three Main Tools in Planned Giving NUMBER #1: THE BEQUEST! Can Be a Specific Dollar Amount (not common)

456 views • 21 slides
Social Engineering Techniques, Methods, Tools & Mitigation Panagiotis Gkatziroulis, Security

Social Engineering Techniques, Methods, Tools & Mitigation Panagiotis Gkatziroulis, Security

Social Engineering Techniques, Methods, Tools & Mitigation Panagiotis Gkatziroulis, Security Consultant Agenda Social Engineering Methodology Attacks & Techniques Demos Tools of the trade Prevention Methods and Advice

502 views • 27 slides
Patient Experience Webinar Series Part III Capturing the Patient Experience: Tools, Techniques,

Patient Experience Webinar Series Part III Capturing the Patient Experience: Tools, Techniques,

Patient Experience Webinar Series Part III Capturing the Patient Experience: Tools, Techniques, and Methods February 17th, 2016 Todays Objectives Learn about a few tools, techniques and methods you can use to capture / examine the

486 views • 37 slides
Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1 Outline Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms

1.4k views • 88 slides
Formal Techniques and Tools For Software Health Management John Rushby (for N. Shankar) Computer

Formal Techniques and Tools For Software Health Management John Rushby (for N. Shankar) Computer

Formal Techniques and Tools For Software Health Management John Rushby (for N. Shankar) Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Tools and Techniques For SWHM 1 Introduction New project,

364 views • 7 slides
Some key ideas, techniques, tools and applica5ons Random

Some key ideas, techniques, tools and applica5ons Random

Some key ideas, techniques, tools and applica5ons Random selec5on choose typical element of a set, avoiding rare bad elements. Example:

288 views • 9 slides
Behavioural Tools & Techniques George Allcock September 2018 BHSE A Behavioural Tools and

Behavioural Tools & Techniques George Allcock September 2018 BHSE A Behavioural Tools and

BHSE A Behavioural Tools and Techniques September 2018 Behavioural Tools & Techniques George Allcock September 2018 BHSE A Behavioural Tools and Techniques September 2018 Good / Not Good? Note the power and value of photos BHSE A

585 views • 31 slides
Tools and Techniques for Creating Responsive Web Content Matthew Ellison Matthew Ellison

Tools and Techniques for Creating Responsive Web Content Matthew Ellison Matthew Ellison

Tools and Techniques for Creating Responsive Web Content Matthew Ellison Matthew Ellison Consultant and trainer for User Assistance tools and technologies Technical Director of annual UA Europe conference The questions well answer

955 views • 54 slides
Literature review: Slide Authoring Tools and Techniques For Presentations Kartik Andalam

Literature review: Slide Authoring Tools and Techniques For Presentations Kartik Andalam

Literature review: Slide Authoring Tools and Techniques For Presentations Kartik Andalam University of Auckland Software Engineering kand617@aucklanduni.ac.nz ABSTRACT For slide generation we study three tools of varying function- ality. The

634 views • 4 slides
District 2017/18 Unaudited Actuals September 12, 2018 1 SPUSD 2017/18 Unaudited Actuals

District 2017/18 Unaudited Actuals September 12, 2018 1 SPUSD 2017/18 Unaudited Actuals

Santa Paula Unified School District 2017/18 Unaudited Actuals September 12, 2018 1 SPUSD 2017/18 Unaudited Actuals Timeline and Process The Unaudited Actuals are the 4 th and final financial report prepared for 2017/18 The Fiscal

440 views • 7 slides
Enhancing UCLA Athletic Event Sustainability Through Development of Comprehensive Green Templates

Enhancing UCLA Athletic Event Sustainability Through Development of Comprehensive Green Templates

Enhancing UCLA Athletic Event Sustainability Through Development of Comprehensive Green Templates Stakeholders: Kayla Shirey, Derek Doolittle Team leaders: Jacob Gerigk, Zachary Alter Team members: Kate Minden, Sarina Levin, Jonah Eisen, Amber

376 views • 12 slides
Presentation Title Name, Title Maricopa County Elections Department | 602-506-1511 |

Presentation Title Name, Title Maricopa County Elections Department | 602-506-1511 |

MARICOPA COUNTY P r e s i d e n t i a l P r e f e r e n c e E l e c t i o n CANVASS REPORT Elections Department MARCH 17, 2020 Presentation Title Name, Title Maricopa County Elections Department | 602-506-1511 | Maricopa.Vote Board of

237 views • 7 slides
Combining Agile and Strengths How to Capitalize on the Strengths Movement

Combining Agile and Strengths How to Capitalize on the Strengths Movement

Combining Agile and Strengths How to Capitalize on the Strengths Movement Monday, August 15, 2011 What is the strengths movement? Monday, August 15, 2011 What is the strengths movement? Monday, August 15, 2011

208 views • 16 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
DBA Tutorial Kai Voigt Senior MySQL Instructor Sun Microsystems kai@sun.com Santa Clara, April

DBA Tutorial Kai Voigt Senior MySQL Instructor Sun Microsystems kai@sun.com Santa Clara, April

DBA Tutorial Kai Voigt Senior MySQL Instructor Sun Microsystems kai@sun.com Santa Clara, April 12, 2010 Donnerstag, 8. April 2010 Certification Details http://www.mysql.com/certification/ Registration at Conference Closed Book

1.12k views • 87 slides
APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access

APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access

A UTOMATIC L ICENSE P LATE R ECOGNITION (ALPR) ON EMBEDDED SYSTEM Presented by Guanghan APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access control 4. Road traffic monitoring ALPR SYSTEM : SEVERAL STAGES

550 views • 23 slides
Decided to self-manage! Engineering Department Investigated options with outside firms and

Decided to self-manage! Engineering Department Investigated options with outside firms and

Westlake as a community. 17 square miles in N.W. Cuyahoga County. 33,000 residents. P ublic I nvolvement & 13,650 housing units w/ median value price +$200,000 (1999 Census) . Affluent & educated populace. P ublic E

260 views • 3 slides

More recommend