Nmap Development mailing list archives
Re: RPC over HTTP (ncacn_http)
From: Martin Mačok <martin.macok () underground cz>
Date: Sat, 5 Mar 2005 11:51:43 +0100
On Fri, Mar 04, 2005 at 09:16:51PM -0500, Jon-Erik wrote:
More information about RPC over HTTP can be found at http://www.msexchange.org/tutorials/outlookrpchttp.html
Not much of use from a developer's point of view. However, getting the protocol spec is not the problem here, it is the time to read it and implement it for version scan use :-) Anyway, take a look at dcetest.nasl (GPLv2) Nessus plugin or the original dcetest (GPL) from Dave Aitel ... (By the way, the whole concept of RPC over HTTP seems rather silly to me - first we realize that Microsoft's RPC protocols are insecure so we set up our firewalls to block them in and out of our house ... then Microsoft realizes we are blocking them so they start tunneling it through http so they can traverse the net again - and they even call it "security"! It also reminds me of the virus/antivirus culture ;-)
This is a realtively new thing
This MAPI might be new but the RPC over HTTP procol itself is not that hot ...
and, since it requires Outlook 2003 SP1, it may not be widely deployed. Yet. But since it is a form of RPC and it provides full MAPI access, and...er, it's from Microsoft, something tells me we'll be hearing about this sooner or later in a not so good way.
I agree. However, the chance is there might also be even worse things around by that time :-)
3389/tcp open microsoft-rdp Microsoft Terminal Service
OK, this is correct now.
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port593-TCP:V=3.81%D=3/4%Time=422915C8%P=i386-unknown-freebsd5.3%r(NULL SF:,E,"ncacn_http/1\.0")%r(GenericLines,E,"ncacn_http/1\.0")%r(GetRequest, SF:E,"ncacn_http/1\.0")%r(HTTPOptions,E,"ncacn_http/1\.0")%r(RTSPRequest,E SF:,"ncacn_http/1\.0")%r(RPCCheck,E,"ncacn_http/1\.0")%r(DNSVersionBindReq SF:,E,"ncacn_http/1\.0")%r(DNSStatusRequest,E,"ncacn_http/1\.0")%r(Help,E, SF:"ncacn_http/1\.0")%r(SSLSessionReq,E,"ncacn_http/1\.0")%r(SMBProgNeg,26 SF:,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\ SF:x05\0\0\0\0")%r(X11Probe,E,"ncacn_http/1\.0")%r(LPDString,E,"ncacn_http SF:/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/1 SF:\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0")% SF:r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(ora SF:cle-tns,E,"ncacn_http/1\.0");
[and so on] As you can see, the current set of probes couldn't get anything more than "ncacn_http/1.0" reponse so we can't tell which service is behind it. You could use the patch I've sent previously to get at least ncacn_http Microsoft Network Computing Architecture Connection-Oriented RPC Protocol recognition (or something shorter if you prefer) before someone implements something better. Cheers, Martin Mačok ICT Security Consultant --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- RPC over HTTP Jon-Erik (Mar 03)
- Re: RPC over HTTP Martin Mačok (Mar 03)
- <Possible follow-ups>
- Re: RPC over HTTP Jon-Erik (Mar 04)
- Re: RPC over HTTP Martin Mačok (Mar 04)
- Re: RPC over HTTP Jon-Erik (Mar 04)
- Re: RPC over HTTP (ncacn_http) Martin Mačok (Mar 05)
- Re: RPC over HTTP Alan Jones (Mar 06)
- Re: RPC over HTTP Martin Mačok (Mar 07)
- Re: RPC over HTTP Jon-Erik (Mar 06)