Re: RPC over HTTP (ncacn_http)

[Martin Mačok <martin.macok () underground cz>]

On Fri, Mar 04, 2005 at 09:16:51PM -0500, Jon-Erik wrote:

> More information about RPC over HTTP can be found at
> http://www.msexchange.org/tutorials/outlookrpchttp.html

Not much of use from a developer's point of view. However, getting the
protocol spec is not the problem here, it is the time to read it and
implement it for version scan use :-)

Anyway, take a look at dcetest.nasl (GPLv2) Nessus plugin or the
original dcetest (GPL) from Dave Aitel ...

(By the way, the whole concept of RPC over HTTP seems rather silly to me
- first we realize that Microsoft's RPC protocols are insecure so we
set up our firewalls to block them in and out of our house ...
then Microsoft realizes we are blocking them so they start
tunneling it through http so they can traverse the net again - and
they even call it "security"! It also reminds me of the
virus/antivirus culture ;-)

> This is a realtively new thing

This MAPI might be new but the RPC over HTTP procol itself is not that
hot ...

> and, since it requires Outlook 2003 SP1, it may not be widely
> deployed. Yet. But since it is a form of RPC and it provides full
> MAPI access, and...er, it's from Microsoft, something tells me we'll
> be hearing about this sooner or later in a not so good way.

I agree. However, the chance is there might also be even worse things
around by that time :-)

> 3389/tcp open     microsoft-rdp   Microsoft Terminal Service

OK, this is correct now.

> ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
> SF-Port593-TCP:V=3.81%D=3/4%Time=422915C8%P=i386-unknown-freebsd5.3%r(NULL
> SF:,E,"ncacn_http/1\.0")%r(GenericLines,E,"ncacn_http/1\.0")%r(GetRequest,
> SF:E,"ncacn_http/1\.0")%r(HTTPOptions,E,"ncacn_http/1\.0")%r(RTSPRequest,E
> SF:,"ncacn_http/1\.0")%r(RPCCheck,E,"ncacn_http/1\.0")%r(DNSVersionBindReq
> SF:,E,"ncacn_http/1\.0")%r(DNSStatusRequest,E,"ncacn_http/1\.0")%r(Help,E,
> SF:"ncacn_http/1\.0")%r(SSLSessionReq,E,"ncacn_http/1\.0")%r(SMBProgNeg,26
> SF:,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\
> SF:x05\0\0\0\0")%r(X11Probe,E,"ncacn_http/1\.0")%r(LPDString,E,"ncacn_http
> SF:/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/1
> SF:\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0")%
> SF:r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(ora
> SF:cle-tns,E,"ncacn_http/1\.0");

[and so on]

As you can see, the current set of probes couldn't get anything more
than "ncacn_http/1.0" reponse so we can't tell which service is behind
it. You could use the patch I've sent previously to get at least
ncacn_http   Microsoft Network Computing Architecture Connection-Oriented RPC Protocol
recognition (or something shorter if you prefer) before someone
implements something better.

Cheers,

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org