Windows protocols

The article will talk about the protocols in the Windows operating system and how to interact with them. Let’s go through the list of protocols, describe their main tasks and try to interact with one of them using the Python programming language.

Protocol Overview

The Windows operating system is one of the most popular. The basic versions of this operating system can be used both as a client operating system and as a server operating system. The documentation states that this operating system can work with a large number of protocols, the lion’s share was created for it and is used only for the needs of the OS or software inside.

All Windows functions, like protocols, are usually divided into subsystems. That is, if the system has a .Net subsystem, this means that there will definitely be protocols for it that are used to transfer data. They will have their own format and specification.

All protocols that are supported by Windows and have been adapted or created for the OS are located here. The documentation includes everything that is available for study, including, by the way, the documentation for the documentation. All protocols in Windows are divided into 4 large groups:

Each group can include a large number of protocols. This division assumes that all the protocols of a group will be occupied by one subsystem or systems, which should work as a whole. Let us describe the definition of each of the groups.

Application Server Protocols

A set of protocols that are used as a common medium for communication between applications. The protocols must work both locally and over the network. It is assumed that this uniformity of the environment can be extended to other operating systems.

These protocols include the following subgroups:

• COM, COM+, DCOM are protocols that allow you to work with applications that operate on objects.

• Transaction protocols used to transfer data between different operating systems

• MSQM – queuing protocols used for scaling applications

Protocols in this category may be the most used and interesting, since their use is quite widespread in applications that are used in the corporate segment. Services such as Active Directory rely heavily on this group of protocols.

Core Services Protocols

The protocols of this group are used for subsystems that can most often be used in server versions of the Windows operating system. Among them:

• IManagedObject Interface Protocol – in fact, this is a wrapper for the .Net platform, it allows you to safely interact with COM objects

• OLE Automation Protocol is a protocol that allows applications to create shared objects. These objects can be integrated from one application to another and still provide processing algorithms.

• Remote Data Services Transport Protocol is a protocol for load balancing, used for backward compatibility with older versions of the operating system. Works over HTTP. Now it can be functionally replaced via DCOM and SOAP.

• Session Multiplex Protocol is a protocol that can be used to create channels for transmitting session-enabled data within a single connection. Can be used over any protocol.

SQL Server Resolution Protocol is a protocol that allows clients to work with databases. Used to search databases, supports multicast and broadcast queries.

In fact, the protocols are simply an additional layer for the same ASP protocols of the previous section.

Internet Information Services(IIS) protocols

A set of protocols that are available out of the box in IIS, or that can be installed through special extensions. The list of protocols is as follows:

• Internet Information services (IIS): Application Host COM Protocol – protocol for server administration

• Internet Information Services (IIS): IMSAdminBaseW Remote Protocol is a protocol for server configuration. All settings are stored in a special meta tree.

• Internet Information Services (IIS): Inetinfo Remote Protocol is a protocol for managing HTTP and FTP servers.

• Internet Information Services (IIS): ServiceControl Protocol is a protocol for managing a server as a separate entity. You can remotely restart it, manage the functionality of the operating system.

.NET Framework Protocols

A huge layer of protocols that was created so that software that was written using .Net could interact with any software over the network. Here are some protocols from this subgroup:

• .NET Packet Routing Protocol – allows you to transform the SOAP header as a datagram or packet

• .NET Binary Format: XML Data Structure – implementation of the structure of the transmitted XML format

• .NET Context Exchange Protocol – as the name implies, this protocol can transfer context between the server and the client

• NET Message Framing TCP Binding Protocol – a protocol that allows you to work with SOAP over TCP

As can be seen from the listed groups and subgroups of protocols, the protocols for the Windows operating system are abstractions for transferring data between systems and within the operating system itself. Let’s take the first group of protocols for study, namely ASP. From this group, we will focus on the subgroup COM,COM+,DCOM.

Interaction example

The COM, COM+, DCOM protocols of the group developed as protocols that enable programmers and users to create functions and even entire applications that can be integrated into their applications even without their source code and it does not matter what programming language the applications are written in. To make this possible, protocols use abstractions:

• Provide a standard interface for calling

• All objects that become available through protocols are listed in a common registry

• Each registry object is identified by a unique UUID.

As a practice, let’s try to implement interaction with DCOM objects through the MS-RPCE protocol. To speed up the development of the prototype, we will use the Python programming language and the library impacket. We will use Windows 10 as the target system for interaction.

MS-RPCE is a set of extensions to the MS-RPC protocol. This protocol allows the implementation of special functions, which may include work with authorization, interaction with printers, etc. Since this is an RPC, to work with its functions, you need to use the rules and interfaces that can be proposed in the specification.

According to documentation MS-RPCE can work in 2 versions:

1. Connection oriented RPC

2. Connectionless RPC

The choice of transport protocol for communication is based on special strings that describe the selected protocol. At least one must be used for interaction configuration:

• ncacn_np – SMB transport

• ncacn_ip_tcp – IPv4, IPv6 transport

• ncadg_ip_udp – UDP transport

• ncacn_spx – SPX transport

• ncadg_ipx – IPX transport

• ncacn_nb_ipx – NetBIOS over IPX transport

• ncacn_nb_tcp – NetBIOS over TCP transport

• ncacn_nb_nb – NetBIOS over NetBEUI transport

• ncacn_at_dsp – AppleTalk transport

• ncacn_http – RPC over HTTP transport

In our example, interactions will be based on the TCP / IP model, so we will use ncacn_ip_tcp.

In order to perform an operation using MS-RPCE, you need to understand how the procedure for setting up a connection and performing various operations works. The simple interaction algorithm is as follows:

1. Initialize string for transport

2. Set authorization option – required for most protocol objects, since most of the operations can be used by attackers

3. The DCE wrapper is used to carry out the identification and authentication procedure, so you will have to create an object to interact with this protocol. It is he who will automatically configure the connection. We just have to activate the object from the OS or use the standard classes to check the connection or send data to OS applications.

from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter


hostIp = "192.168.57.3"
authLevel = RPC_C_AUTHN_LEVEL_NONE

stringBinding = r'ncacn_ip_tcp:%s' % target_ip
rpctransport = transport.DCERPCTransportFactory(stringBinding)

dce = rpctransport.get_dce_rpc()
dce.set_auth_level(authLevel)
dce.connect()

#Только этот механизм не требует аутентификации
objExp = IObjectExporter(dce)
bindings = objExp.ServerAlive2()

for binding in bindings:
    addr = binding['aNetworkAddr']
    print ("Found Address: " + addr)

The result of executing commands in the interactive shell:

You can evaluate the scale of the work done on the network through WireShark:

This way you can get data about all active interfaces on the target system. There is no need to provide any user data. If you need to find out much more information, you can look in the directory examples, among the scripts there are rpcmap, rpcinfo, which can tell about open interfaces that are available via the MS-RPCE protocol.

The article was prepared by Alexander Kolesnikov as part of the course Network Engineer.

We invite everyone to a free demo-lesson “Redistribution – a crutch or an enterprise solution”. In class:
1. Consider the transition of prefixes from one dynamic routing protocol to another using OSPF and BGP as an example.
2. Let’s discuss the redistribution of static routes and the moments when you can’t do without it. Or is there still a way not to use crutches?
If interesting, sign up.