Building a network map

Building a network map is a lengthy process. The study is carried out by tracking the responses of operating systems to corrupted data in the headers of network protocols. This approach usually gives ~ 80% accuracy. And it is quite difficult to find information on how exactly each OS responds to such influences. But what if there is a technology or function of the operating system that will 100% accurately speak about the state of the network subsystem and provide additional information? The article will tell you about such functions of Windows OS.

“As old as the world” technologies

To get a complete picture of how Windows presents its functions on the network, you need to think about mechanisms such as DCOM and RPC.

Remote procedure call – mechanism of interprocess communication (IPC). The mechanism allows you to exchange information and call functions in different processes within the OS, local area network or over the Internet.

The Distributed Component Object Model is a COM object specification that governs the rules for network communication between objects. In the documentation, you can find the formulation – DCOM Remote Protocol.

The two mechanisms are related according to the following scheme:

The scheme is taken from here

How it works? The general scheme of the protocol operation is presented below.

Scheme taken from here

The main idea is that the interaction is organized according to the client-server model. The client can request by the identifier to start the procedure via RPC on the server. In this case, the server must independently search for the required handler for the identifier and, if found, transfer information to it in accordance with the security model. The availability information and, if possible, the result is returned to the client.

By the way, about the security model, the red rectangles on the diagram indicate those interfaces that in some cases can be used without going through the authorization procedure.

What’s interesting for the network map

DCOM for Offensive has already been studied at BlackHat 2004… There was a lot of information in the talk that can be used for versions of Windows up to and including Windows Server 2003. Here is a list of some of the things you can do:

  • Collection of information about the OS configuration (does not require authorization);

  • Brute force passwords for user credentials;

  • Sending a request for creating ScheduledTask tasks, as well as deleting, viewing;

  • View the status of services (authorization required).

The speech already talked about specific identifiers that can be used to influence the OS. Let’s try to find out if everything works the same way after 17 years, at the same time we will find out how to get the configuration of the OS network subsystem.

Practice

For the experiment, we will use 3 virtual machines:

  • Windows 10

  • Windows 7

  • Windows 8

Each virtual machine will be connected to at least two networks, which will include different segments. The test virtual machine will be Kali Linux. Let’s try to collect scripts and applications for collecting information about the system via RPC. The list of tools is presented below:

  • nmap script rpcinfo.nse – collects rpc ports and writes, if possible, the name of the service that uses them;

  • impacket rpcdump.py – gets information from rcp services;

  • impacket rpcmap.py – collects endpoint ports that are waiting for a connection;

  • Metasploit module auxiliary/scanner/dcerpc/endpoint_mapper – Search endpoint;

  • Metasploit module auxiliary/scanner/dcerpc/hidden – search for a hidden service;

  • Metasploit module auxiliary/scanner/dcerpc/management – getting data from RMI DCERPC;

  • Metasploit module auxiliary/scanner/dcerpc/tcp_dcerpc_auditor – search for the names of services that use DCERPC;

  • IOXIDResolver.py – a script for obtaining data about the configuration of the network subsystem;

Let’s try the performance of the tools on virtual machines:

Windows 7

Nmap results:

Metasploit results:

The picture shows part of the endpoint services.
The picture shows part of the endpoint services.

Hidden services

Management

TCP Auditpr

IOXIDResolver results:

Windows 8

Nmap results:

Metasploit results:

endpoint_mapper

The picture shows part of the endpoint services.
The picture shows part of the endpoint services.

Hidden services

Management

TCP auditor

IOXIDResolver results:

Windows 10

Nmap results:

Metasploit results:

The picture shows part of the endpoint services.
The picture shows part of the endpoint services.

Hidden services

Management

TCP auditor

IOXIDResolver results:

The mechanisms considered in the article not only still work, but are also developing. From the listed tools, IOXIDResolver can provide information about the configuration of the network subsystem, while other tools can help determine the OS version and, if not properly configured, the ability to manage the OS or obtain user credentials.


The article was prepared by Alexander Kolesnikov, course teacher “Pentest. Penetration Testing Practice “… If you are interested in learning more about the course, come to Open Day online, where Alexander will talk about the format and training program.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *