Project

General

Profile

Actions

Feature #5067

open

smb/dcerpc: Match dcerpc (over smb) requests before bind_ack

Added by Eloy Pérez almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Rust

Description

Windows computers made a heavy use of the dcerpc protocol. I being working with a Windows Server 2019 and observed that, probably for optimization purposes, using DCERPC over SMB it sends a bind message, and then it submits a request without receiving the bind_ack, which is returned later. This behaviour can be appreciated in the following capture:

A bind is submit, then an OpenAlias request, and finally, the client requests for the bind_ack (in SMB the bind_ack needs to be requested by the client).

To match requests in this cases, I propose to create a flag for the dcerpc.iface, that allows users to choose if they want to match dcerpc requests (over smb) after the bind is issued and before the bind_ack is received.

I let pacp with SMB traffic that shows this behaviour. In this case the traffic was created by executing the tool Bloodhound over a Windows Server 2019 (joined to a domain). The same tool executed over Windows 10 creates a different traffic where the bind_ack is received always before any dcerpc request.


Files

bloodhound-smb-w2019.pcapng (73.7 KB) bloodhound-smb-w2019.pcapng Eloy Pérez, 02/10/2022 10:02 AM
smb-over-dcerpc.png (52.5 KB) smb-over-dcerpc.png Eloy Pérez, 02/10/2022 10:24 AM

No data to display

Actions

Also available in: Atom PDF