Friday, 29 March 2013

Remote procedure call (RPC)


is an inter-process communication that allows a computer program to execute a subroutine or procedure in another address space (commonly on another computer on a shared network) without the programmer explicitly coding the connection for this remote interaction.

The idea of treating network operations as remote procedure calls can be traced back to the ARPANET in the 1980s.  Xerox under the name "Courier" implemented one of the first business uses of RPC in 1981. The first popular implementation of RPC on Unix was Sun's RPC (now called ONC RPC), this was used as the basis for Network File System (NFS).

The RPC (Remote Procedure Call) mechanism allows an application to seamlessly invoke remote procedures, as if these procedures were executed locally. There are two main implementations of the RPC mechanism:
  • ONC RPC 
  • DCE RPC (MSRPC)
RPC allows one program to request a service from a program located in another computer in a network without having to understand network details. RPC uses the client/server model. The requesting program is a client and the service-providing program is the server. A number of interesting services run as Remote Procedure Call (RPC) services using dynamically assigned high ports. 

Portmappers


To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on known TCP and UDP ports and maps RPC program numbers and versions to Internet port numbers.

  • The ONCRPC portmapper (also known as rpcbind within Solaris) can be queried using the rpcinfo command found on most Unix-based platform and listens on TCP and UDP port 111
  • The Microsoft RPC endpoint mapper (also known as the DCE locator service) listens on both TCP and UDP port 135


ONC RPC


Open Network Computing (ONC) Remote Procedure Call (RPC)  was originally developed by Sun Microsystems as part of their Network File System project. It was orginally described in RFC 1831, published in 1995. RFC 5531, published in 2009, is the current version. Authentication mechanisms used by ONC RPC are described in RFC 2695, RFC 2203, and RFC 2623. In 2009, Sun relicensed the ONC RPC code under the standard 3-clause BSD license and then reconfirmed by Oracle Corporation in 2010 following confusion about the scope of the re-licensing.

The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes that provide other ONC RPC services.

The port mapper service always uses TCP or UDP port 111; a fixed port is required for it, as a client would not be able to get the port number for the port mapper service from the port mapper itself. The port mapper must be started before any other RPC servers are started.

MSRPC


Microsoft RPC (Microsoft Remote Procedure Call) is a modified version of DCE/RPC. Additions include support for Unicode strings, implicit handles, inheritance of interfaces (which are extensively used in DCOM). Examples of Microsoft applications and services that use port 135 for endpoint mapping include Outlook, Exchange, and the Messenger Service.

Depending on the host configuration, the RPC endpoint mapper can be accessed through TCP and UDP port 135, via SMB with a null or authenticated session (TCP 139 and 445), and as a web service listening on TCP port 593

Enumeration


Both ONC RPC and MSRPC portmappers can be interrogated to provide information on the services that are running through them.

The rpcinfo tool can be used on Unix systems to enumerate the services running on port 111 (rpcbind) or 32771 (Sun's alternate portmapper). For windows systems tools such as edump can be used. Nmap has a number of useful scripts


  • msrpc-enum
  • rpc-grind
  • rpcap-brute
  • rpcap-info
  • rpcinfo
  • msrpc
  • msrpctypes
  • nrpc


In addition to those listed above a number of the smb scripts use RPC to enumerate services. When enumerating the services we are looking for interesting services such as nfs, rusers, mountd along with information on smb.

In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack.
You can run nmap with the -sR option to identify RPC services listening on high ports if the portmapper is inaccessible.

No comments:

Post a Comment