DCE/RPC

Distributed Computing Environment/Remote Procedure Call (DCE/RPC)

DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol.

A DCE/RPC server's endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server.

Because of that, you cannot simply capture from a specific TCP port to see all traffic, as there are more connections used.

Binary blobs may be transported between client and server endpoints: apart from the packet type and opnum, the conversation is opaque to DCE/RPC.

History

The specification documents ordered by release date:

Protocol dependencies

DCE/RPC can run atop a number of protocols, including:

Example traffic

Frame 16 (156 bytes on wire, 156 bytes captured)
    Arrival Time: Jan 25, 2006 13:30:30.722061000
    Time delta from previous packet: 0.003745000 seconds
    Time since reference or first frame: 0.072939000 seconds
    Frame Number: 16
    Packet Length: 156 bytes
    Capture Length: 156 bytes
    Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc
Ethernet II, Src: 00:50:56:c0:00:08 (00:50:56:c0:00:08), Dst: 00:0c:29:90:06:7c (00:0c:29:90:06:7c)
    Destination: 00:0c:29:90:06:7c (00:0c:29:90:06:7c)
    Source: 00:50:56:c0:00:08 (00:50:56:c0:00:08)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.29.1 (192.168.29.1), Dst: 192.168.29.133 (192.168.29.133)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 142
    Identification: 0x0d71 (3441)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x3122 [correct]
        Good: True
        Bad : False
    Source: 192.168.29.1 (192.168.29.1)
    Destination: 192.168.29.133 (192.168.29.133)
Transmission Control Protocol, Src Port: 1107 (1107), Dst Port: 139 (139), Seq: 1777360425, Ack: 1042911032, Len: 102
    Source port: 1107 (1107)
    Destination port: 139 (139)
    Sequence number: 1777360425
    Next sequence number: 1777360527
    Acknowledgement number: 1042911032
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16974
    Checksum: 0x3bfe [validation disabled]
    SEQ/ACK analysis
        This is an ACK to the segment in frame: 15
        The RTT to ACK the segment was: 0.003745000 seconds
NetBIOS Session Service
    Message Type: Session message
    Flags: 0x00
        .... ...0 = Add 0 to length
    Length: 98
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        Response in: 17
        SMB Command: Trans (0x25)
        Error Class: Success (0x00)
        Reserved: 00
        Error Code: No Error
        Flags: 0x00
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 0... = Case Sensitivity: Path names are case sensitive
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0x0001
            0... .... .... .... = Unicode Strings: Strings are ASCII
            .0.. .... .... .... = Error Code Type: Error codes are DOS error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..0. = Extended Attributes: Extended attributes are not supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 2048
        Process ID: 1764
        User ID: 2048
        Multiplex ID: 0
    Trans Request (0x25)
        Word Count (WCT): 16
        Total Parameter Count: 0
        Total Data Count: 24
        Max Parameter Count: 1024
        Max Data Count: 65504
        Max Setup Count: 0
        Reserved: 00
        Flags: 0x0000
            .... .... .... ..0. = One Way Transaction: Two way transaction
            .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
        Timeout: Return immediately (0)
        Reserved: 0000
        Parameter Count: 0
        Parameter Offset: 74
        Data Count: 24
        Data Offset: 74
        Setup Count: 2
        Reserved: 00
        Byte Count (BCC): 31
        Transaction Name: \PIPE\
SMB Pipe Protocol
    Function: TransactNmPipe (0x0026)
    FID: 0x4000
DCE RPC Request, Fragment: Single, FragLen: 24, Call: 1 Ctx: 0, [Resp: #17]
    Version: 5
    Version (minor): 0
    Packet type: Request (0)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 24
    Auth Length: 0
    Call ID: 1
    Alloc hint: 0
    Context ID: 0
    Opnum: 4
    Response in frame: 17

Wireshark

The DCE/RPC dissector is fully functional. It also has some advanced features available, such as DCE/RPC defragmentation and alike.

You can get the response times (the time between a request and its response) of DCE/RPC interface calls by using the menu item "Statistics/Service Response Time/DCE-RPC...".

If you didn't capture the binding sequence at the start of a connection oriented DCE/RPC conversation, you can use the menu item "Analyze/Decode As..." to attach a specific interface to the selected conversation.

Preference Settings

(XXX add links to preference settings affecting how DCE/RPC is dissected).

Example capture file

XXX - Add a simple example capture file. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of DCE/RPC display filter fields can be found in the display filter reference

Show only the DCE/RPC based traffic (both connection oriented and connectionless):

 dcerpc 

Capture Filter

You cannot directly filter DCE/RPC protocols while capturing.

External links

Implementations

Decryption

The "encrypted stub data" can be decrypted, either if using NTLMSSP or Kerberos

Discussion

Ulf Lamping: one might explain where ncacn_ip_tcp is used, as I still don't know it 😃 Ronnie: See the example capture mapi.cap.gz for an example of dcerpc using ncacn_ip_tcp


Imported from https://wiki.wireshark.org/DCE/RPC on 2020-08-11 23:12:33 UTC