RPC to Go v.2

RPC to Go v.2

  • Comments 5
  • Likes

This post is an update to “RPC to Go v.1.”  I assume that you have read v.1 and have a basic understanding of how the RPC protocol works.  We’ll take a closer look at the architecture, End Point Mapper bind and the RPC bind.  At the end there will be a list of common problems and troubleshooting tools.  Going forward, these “RPC to Go” blogs may be used as a troubleshooting reference.

A Closer Look

ArchitectureNotice where Marshalling happens

image

While describing RPC process in v.1 I mentioned Marshalling in passing. The RPC stubs and Runtime API were explained. Marshalling determines how the data is represented. The network data representations (NDR) are NDR20 (32-bit OS) and NDR64 (64-bit OS). The NDR or transfer syntax is common language of the client and server stubs. Although it rarely happens, there have been syntax conflicts. For instance, the application presents the correct UUID to the end point mapper, but the transfer syntax is incorrect. The client would get the following error “The transfer syntax is not supported by the RPC server”.

Network Captures

Client connection to the End Point Mapper.

A connection to the End Point Mapper requires a bind and a map request.

image

Frame 4: Bind request to the EndPoint mapper
4 10:41:50.101297 10.32.30.66 10.1.200.2 DCERPC Bind: call_id: 1 EPMv4 V3.0
Transmission Control Protocol, Src Port: sdo (3635), Dst Port: epmap (135), Seq: 1060393319, Ack: 3285256023, Len: 72
The 32bit NDR is presented in the request
Transfer Syntax[1]: 8a885d04-1ceb-11c9-9fe8-08002b104860 V2

Frame 5: Bind_Ack from the EndPoint Mapper
5 10:41:50.102274 10.1.200.2 10.32.30.66 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840

Inside frame 5:

DCE/RPC Endpoint Mapper, Map
    Operation: Map (3)
 [Response in frame: 7]
 UUID pointer:
 Referent ID: 0x00000001
 UUID: 00000000-0000-0000-0000-000000000000
Tower pointer:
 Referent ID: 0x00000002
 Length: 75
 Length: 75
Number of floors: 5
Floor 1  UUID: LSA
LHS Length: 19
 Protocol: UUID (0x0d)
 UUID: LSA (12345778-1234-abcd-ef00-0123456789ab)
 Version 0.0
RHS Length: 2
 Version Minor: 0
Floor 2  UUID: Version 1.1 network data representation protocol
 LHS Length: 19
 Protocol: UUID (0x0d)
 UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860)
 Version 2.0
 RHS Length: 2
 Version Minor: 0
 Floor 3  RPC connection-oriented protocol
LHS Length: 1
 Protocol: RPC connection-oriented protocol (0x0b)
 RHS Length: 2
Floor 4  TCP Port:135
 LHS Length: 1
Protocol: DOD TCP (0x07)
 RHS Length: 2
 TCP Port: 135
Floor 5  IP:0.0.0.0
 LHS Length: 1
 Protocol: DOD IP (0x09)
 RHS Length: 4
 IP: 0.0.0.0 (0.0.0.0)
Handle: 0000000000000000000000000000000000000000
Max Towers: 4

The Map Response. The port is populated in floor 4 and the IP address populated in floor 5 of the tower. Two separate towers are sent with floor four populated with disparate port numbers. You will recall that there can only be one port and one IP address sent per tower. Multiple towers can be sent in one Map Response.

DCE/RPC Endpoint Mapper, Map
    Operation: Map (3)
    [Request in frame: 6]
    Handle: 0000000000000000000000000000000000000000
    Num Towers: 2
    Tower array:
        Max Count: 4
        Offset: 0
        Actual Count: 2
        Tower pointer:
            Referent ID: 0x00000003
            Length: 75
            Length: 75
            Number of floors: 5
            Floor 1  UUID: LSA
                LHS Length: 19
                Protocol: UUID (0x0d)
                UUID: LSA (12345778-1234-abcd-ef00-0123456789ab)
                Version 0.0
                RHS Length: 2
                Version Minor: 0
            Floor 2  UUID: Version 1.1 network data representation protocol
                LHS Length: 19
                Protocol: UUID (0x0d)
                UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860)
                Version 2.0
                RHS Length: 2
                Version Minor: 0
            Floor 3  RPC connection-oriented protocol
                LHS Length: 1
                Protocol: RPC connection-oriented protocol (0x0b)
                RHS Length: 2
            Floor 4  TCP Port:1600
                LHS Length: 1
                Protocol: DOD TCP (0x07)
                RHS Length: 2
                TCP Port: 1600  -- Port to use for application access
            Floor 5  IP:10.1.200.2
                LHS Length: 1
                Protocol: DOD IP (0x09)
                RHS Length: 4
                IP: 10.1.200.2 (10.1.200.2) – IP the application is listening on.
        Tower pointer:
            Referent ID: 0x00000004
            Length: 75
            Length: 75
            Number of floors: 5
            Floor 1  UUID: LSA
                LHS Length: 19
                Protocol: UUID (0x0d)
                UUID: LSA (12345778-1234-abcd-ef00-0123456789ab)
                Version 0.0
                RHS Length: 2
                Version Minor: 0
            Floor 2  UUID: Version 1.1 network data representation protocol
                LHS Length: 19
                Protocol: UUID (0x0d)
                UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860)
                Version 2.0
                RHS Length: 2
                Version Minor: 0
            Floor 3  RPC connection-oriented protocol
                LHS Length: 1
                Protocol: RPC connection-oriented protocol (0x0b)
                RHS Length: 2
            Floor 4  TCP Port:1025
                LHS Length: 1
                Protocol: DOD TCP (0x07)
                RHS Length: 2
                TCP Port: 1025 – Port to use for application access (different from first tower)
            Floor 5  IP:10.1.200.2
                LHS Length: 1
                Protocol: DOD IP (0x09)
                RHS Length: 4
                IP: 10.1.200.2 (10.1.200.2) – IP application is listening on.
    Return code: 0x00000000

Connection to the App
A connection to the application requires a successful RPC bind and the correct operation numbers (OpNum). Each bind is given is identified by a call_id.

image

Frame 11: RPC Bind Request from the client

11 10:41:50.148172 10.32.30.66 10.1.200.2 DCERPC Bind: call_id: 1 LSA V0.0

Frame 11 (184 bytes on wire, 184 bytes captured)

Internet Protocol, Src: 10.32.30.66 (10.32.30.66), Dst: 10.1.200.2 (10.1.200.2)

Transmission Control Protocol, Src Port: servistaitsm (3636), Dst Port: issd (1600), Seq: 3000314679, Ack: 2455167807, Len: 130

DCE RPC Bind, Fragment: Single, FragLen: 130, Call: 1

Frame 12: RPC Bind Ack from the Server

12 10:41:50.148172 10.1.200.2 10.32.30.66 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840

Frame 12 (134 bytes on wire, 134 bytes captured)

Internet Protocol, Src: 10.1.200.2 (10.1.200.2), Dst: 10.32.30.66 (10.32.30.66)

Transmission Control Protocol, Src Port: issd (1600), Dst Port: servistaitsm (3636), Seq: 2455167807, Ack: 3000314809, Len: 80

DCE RPC Bind_ack, Fragment: Single, FragLen: 80, Call: 1

Frame 13: You see the OpNum presented to the server.

RPC: c/o Request: LSARpc {12345778-1234-ABCD-EF00-0123456789AB} Call=0x1 Opnum=0x4C Context=0x0 Hint=0x7C

The conversation between the client and server continue with necessary OpNums until client process ends. (Like the Outlook Example from v.1, your inbox is populated)

- Each application has its own set of operation numbers.

Common Problems

Service Doesn’t Register with the Endpoint Mapper

  • A network capture would show “invalid syntax” in reference to the UUID.

Firewall blocking application port

  • EPM (tcp 135) connection works, but connection to the port (i.e. 1600) on which the app registered with the endpoint mapper is blocked by a firewall (software or hardware)
Troubleshooting
  • Tools:
    • Network Monitor 3.2 – useful for capturing bind attempts to the end point mapper and RPC ports. You’ll see three SYN packets sent to the firewall with no response. If it’s hardware based, your SYN never gets to the server. If firewall is software based, your SYN is silently discarded… WireShark works similar to Network Monitor.
    • PortQry – application that can query the endpoint mapper and returns a list of registered UUID’s. Looks like:

UDP port 135 (epmap service): LISTENING or FILTERED

Querying Endpoint Mapper Database...

Server's response:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076

ncacn_ip_tcp:169.254.12.191[4144]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface

ncacn_np:\\\\MYSERVER[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface

ncacn_ip_tcp:169.254.12.191[1030]

RPC is quite easy to understand and troubleshoot. The key to troubleshooting it is to understand where the breakdown occurs. You can ask yourself questions like:

  1. Is the server piece of this application local? If so, some debugging would have to be done to see where things get lost in translation.
  2. If it’s not local: Does anything hit the wire? Is it headed to the correct server? Are you getting a response?
    1. If you have a successful connection to the End Point Mapper and then three SYN packets to the port in your tower, you can check the firewall.

I hope this blog gives you a closer look at RPC and saves you a support call or two.

- Rich Chambers

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • This is very helpful information on RPC, especially the details what shows up in a network capture. I've slogged through a number of network captures involving RPC and trying to piece together what each command means - every piece of information helps! I've read the documentation, and found it difficult to follow, so this smaller, focused example is useful.

  • In this blog I’d like to give some information on what Named Pipes are, what a Named Pipes connection

  • I captured IPv6 packets on Windows 2008, and got "DOD IP" zero. DCE RPC 1.1 didn't mention anything about IPv6. Are there any specs update for IPv6?

  • I captured IPv6 packets on Windows 2008, and got "DOD IP" zero. DCE RPC 1.1 didn't mention anything about IPv6. Are there any specs update for IPv6?

  • This blog is very helpful for me. These kind of explanation only i search may days. Thank you very much. If i have any doubt regarding this, may i cant to you. My mail smartjmc@gmail.com.