dcerpc

package
v0.0.0-...-7d23d5e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 12, 2026 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FormatUUID 

func FormatUUID(uuid [16]byte) string

FormatUUID formats a [16]byte UUID as a string like "000001a0-0000-0000-c000-000000000046"

func GetWindowsMaxFrag 

func GetWindowsMaxFrag() uint16

GetWindowsMaxFrag returns a standard MaxFrag size used by legitimate Windows versions.

func MustParseUUID 

func MustParseUUID(s string) [16]byte

MustParseUUID parses a UUID string and panics on error. Use this for compile-time constants.

func ParseUUID 

func ParseUUID(s string) ([16]byte, error)

ParseUUID parses a UUID string like "000001A0-0000-0000-C000-000000000046" to [16]byte. The UUID is stored in the DCE/RPC wire format (Data1 little-endian, Data2/Data3 little-endian).

Types

type AuthHandler 

type AuthHandler struct {
	Creds *session.Credentials

	// Session Key (negotiated)
	SessionKey []byte

	// Full NTLM Session for Seal/Unseal operations
	Session *ntlm.Session

	// Separate sequence numbers for each direction
	// Client->Server uses ClientSeqNum, Server->Client uses ServerSeqNum
	ClientSeqNum uint32
	ServerSeqNum uint32
	// contains filtered or unexported fields
}

AuthHandler manages the authentication context for RPC (NTLM).

func NewAuthHandler 

func NewAuthHandler(creds *session.Credentials) *AuthHandler

func (*AuthHandler) Decrypt 

func (a *AuthHandler) Decrypt(ciphertext []byte) []byte

Decrypt decrypts data from DCE/RPC response.

func (*AuthHandler) Encrypt 

func (a *AuthHandler) Encrypt(plaintext []byte) []byte

Encrypt encrypts data for DCE/RPC Packet Privacy. Must be called before Sign. Does not update SeqNum (Sign does that).

func (*AuthHandler) GetAuthenticateToken 

func (a *AuthHandler) GetAuthenticateToken(challenge []byte) ([]byte, error)

GetAuthenticateToken processes the challenge and returns the auth token.

func (*AuthHandler) GetClientSeqNum 

func (a *AuthHandler) GetClientSeqNum() uint32

GetClientSeqNum returns the current client sequence number. Implements RPCAuthHandler interface.

func (*AuthHandler) GetNegotiateToken 

func (a *AuthHandler) GetNegotiateToken() ([]byte, error)

GetNegotiateToken generates the initial token (NTLM Negotiate).

func (*AuthHandler) IsInitialized 

func (a *AuthHandler) IsInitialized() bool

IsInitialized returns true if the auth handler has a valid session. Implements RPCAuthHandler interface.

func (*AuthHandler) Seal 

func (a *AuthHandler) Seal(plaintext []byte) []byte

Seal encrypts data and returns [signature][ciphertext]. Updates ClientSeqNum automatically.

func (*AuthHandler) Sign 

func (a *AuthHandler) Sign(data []byte) []byte

Sign computes signature over data (typically the full PDU minus auth verifier). Must be called after Encrypt. Updates ClientSeqNum.

func (*AuthHandler) Unseal 

func (a *AuthHandler) Unseal(ciphertext []byte) ([]byte, error)

Unseal decrypts data from [signature][ciphertext] format. Updates ServerSeqNum automatically.

func (*AuthHandler) Verify 

func (a *AuthHandler) Verify(signature, data []byte) bool

Verify checks signature over data (typically full response PDU minus auth verifier). Updates ServerSeqNum to keep in sync with RC4 state.

type Client 

type Client struct {
	Transport     Transport // Underlying transport (TCP or Pipe)
	CallID        uint32
	MaxFrag       uint16
	Auth          *AuthHandler         // Set after successful BindAuth (NTLM)
	KrbAuth       *KerberosAuthHandler // Set after successful BindAuthKerberos
	AuthType      uint8                // AuthnWinNT (10) or AuthnKerberos (16)
	Authenticated bool                 // True when using packet privacy
	ContextID     uint16               // Current presentation context ID
	AuthCtxID     uint32               // Auth context ID for sec_trailer
	Contexts      map[[16]byte]uint16  // Map of Interface UUID to Context ID
	AssocGroup    uint32               // Association Group ID from BindAck
}

func NewClient 

func NewClient(pipe *smb2.File) *Client

NewClient creates a Client from an SMB named pipe.

func NewClientTCP 

func NewClientTCP(transport *TCPTransport) *Client

NewClientTCP creates a Client from a TCP transport.

func (*Client) Bind 

func (c *Client) Bind(uuid [16]byte, major, minor uint16) error

Bind negotiates the interface and transfer syntax using default NDR.

func (*Client) BindAuth 

func (c *Client) BindAuth(uuid [16]byte, major, minor uint16, creds *session.Credentials) error

BindAuth performs an authenticated Bind (Packet Privacy).

func (*Client) BindAuthKerberos 

func (c *Client) BindAuthKerberos(uuid [16]byte, major, minor uint16, creds *session.Credentials, hostname string) error

BindAuthKerberos performs an authenticated Bind using Kerberos (Packet Privacy). Unlike NTLM, Kerberos is single round-trip (no challenge/response).

func (*Client) BindAuthKerberosWithHandler 

func (c *Client) BindAuthKerberosWithHandler(uuid [16]byte, major, minor uint16, auth *KerberosAuthHandler, spn string) error

BindAuthKerberosWithHandler performs Kerberos-authenticated bind using a pre-configured auth handler. This is used when the caller needs to control realm/KDC configuration (e.g., cross-realm).

func (*Client) BindAuthMulti 

func (c *Client) BindAuthMulti(bindings []InterfaceBinding, creds *session.Credentials) error

BindAuthMulti performs an authenticated Bind for multiple interfaces.

func (*Client) BindWithSyntax 

func (c *Client) BindWithSyntax(uuid [16]byte, major, minor uint16, transferSyntax [16]byte, transferVer uint32) error

BindWithSyntax negotiates the interface with a specific transfer syntax. Returns nil on success, error on failure. Use this to test for NDR64 support.

func (*Client) Call 

func (c *Client) Call(opNum uint16, payload []byte) ([]byte, error)

Call sends a Request packet with OpNum and payload. Handles multi-fragment responses automatically.

func (*Client) CallAuth 

func (c *Client) CallAuth(opNum uint16, payload []byte) ([]byte, error)

CallAuth sends a sealed Request packet with OpNum and payload. Requires prior BindAuth() call. Per MS-RPCE 2.2.2.11.3.1, for Packet Privacy the signature is computed over [plaintext_stub + padding + sec_trailer], NOT just the plaintext stub.

func (*Client) CallAuthAuto 

func (c *Client) CallAuthAuto(opNum uint16, payload []byte) ([]byte, error)

CallAuthAuto sends a sealed Request packet using whatever auth method was used for binding. It automatically selects NTLM or Kerberos based on how the connection was authenticated.

func (*Client) CallAuthDCOM 

func (c *Client) CallAuthDCOM(opNum uint16, payload []byte, ipid [16]byte) ([]byte, error)

CallAuthDCOM sends a sealed Request packet with an object UUID (IPID) for DCOM calls. The IPID identifies which interface instance on the server to call.

func (*Client) CallAuthKerberos 

func (c *Client) CallAuthKerberos(opNum uint16, payload []byte) ([]byte, error)

CallAuthKerberos sends a sealed Request packet using Kerberos authentication. This is similar to CallAuth but uses Kerberos crypto instead of NTLM.

func (*Client) GetContextID 

func (c *Client) GetContextID(uuid [16]byte) (uint16, bool)

GetContextID returns the context ID for a given interface UUID, if it exists.

func (*Client) GetSessionKey 

func (c *Client) GetSessionKey() []byte

GetSessionKey returns the session key from whatever auth handler is active.

type InterfaceBinding 

type InterfaceBinding struct {
	InterfaceUUID [16]byte
	Major, Minor  uint16
}

InterfaceBinding represents an interface to bind to

type KerberosAuthHandler 

type KerberosAuthHandler struct {

	// Session key exported after authentication
	SessionKey []byte

	// Encryption type (23=RC4, 17=AES128, 18=AES256)
	EType int32

	// Sequence numbers (managed by go-msrpc internally, but we track for compatibility)
	ClientSeqNum uint32
	ServerSeqNum uint32
	// contains filtered or unexported fields
}

KerberosAuthHandler manages Kerberos authentication for RPC using go-msrpc.

func NewKerberosAuthHandler 

func NewKerberosAuthHandler(creds *session.Credentials, target session.Target, dcIP string) (*KerberosAuthHandler, error)

NewKerberosAuthHandler creates a new Kerberos auth handler using go-msrpc.

func NewKerberosAuthHandlerMultiRealm 

func NewKerberosAuthHandlerMultiRealm(creds *session.Credentials, target session.Target, dcIP string, extraRealms map[string]string) (*KerberosAuthHandler, error)

NewKerberosAuthHandlerMultiRealm creates a Kerberos auth handler with multiple realms configured. extraRealms maps realm names to KDC addresses (e.g., {"PARENT.LOCAL": "10.0.0.1"}).

func (*KerberosAuthHandler) Decrypt 

func (k *KerberosAuthHandler) Decrypt(ciphertext []byte) []byte

Decrypt decrypts data from DCE/RPC response.

func (*KerberosAuthHandler) DecryptWithSignature 

func (k *KerberosAuthHandler) DecryptWithSignature(ciphertext, signature []byte) ([]byte, error)

DecryptWithSignature decrypts data and verifies the signature. This is the proper way to decrypt sealed DCE/RPC responses.

func (*KerberosAuthHandler) Encrypt 

func (k *KerberosAuthHandler) Encrypt(plaintext []byte) []byte

Encrypt encrypts data for DCE/RPC Packet Privacy using Kerberos. The data is encrypted in place and the signature is cached for Sign().

func (*KerberosAuthHandler) GetClientSeqNum 

func (k *KerberosAuthHandler) GetClientSeqNum() uint32

GetClientSeqNum returns the current client sequence number.

func (*KerberosAuthHandler) GetToken 

func (k *KerberosAuthHandler) GetToken(spn string) ([]byte, error)

GetToken generates the Kerberos AP-REQ token for DCE/RPC. Returns SPNEGO wrapped token for DCE-style auth.

func (*KerberosAuthHandler) IsInitialized 

func (k *KerberosAuthHandler) IsInitialized() bool

IsInitialized returns true if the auth handler has valid session keys.

func (*KerberosAuthHandler) ProcessAPRep 

func (k *KerberosAuthHandler) ProcessAPRep(apRepBytes []byte) ([]byte, error)

ProcessAPRep processes the AP-REP message from the server. This completes mutual authentication and sets up encryption keys. For DCE-style, returns the third leg token that must be sent via AlterContext.

func (*KerberosAuthHandler) Sign 

func (k *KerberosAuthHandler) Sign(data []byte) []byte

Sign returns the signature from the last Encrypt operation. For AES Kerberos, the signature is computed as part of the wrap operation.

func (*KerberosAuthHandler) SignatureSize 

func (k *KerberosAuthHandler) SignatureSize() int

SignatureSize returns the size of the signature for the current encryption type.

func (*KerberosAuthHandler) Verify 

func (k *KerberosAuthHandler) Verify(signature, data []byte) bool

Verify checks a signature (for compatibility).

type PipeTransport 

type PipeTransport struct {
	Pipe *smb2.File
	// contains filtered or unexported fields
}

PipeTransport wraps an SMB2 named pipe using FSCTL_PIPE_TRANSCEIVE. This provides atomic request/response handling for DCE/RPC over named pipes.

func NewPipeTransport 

func NewPipeTransport(pipe *smb2.File) *PipeTransport

func (*PipeTransport) Close 

func (p *PipeTransport) Close() error

func (*PipeTransport) Read 

func (p *PipeTransport) Read(b []byte) (int, error)

func (*PipeTransport) Write 

func (p *PipeTransport) Write(b []byte) (int, error)

type RPCAuthHandler 

type RPCAuthHandler interface {
	Encrypt(plaintext []byte) []byte
	Decrypt(ciphertext []byte) []byte
	Sign(data []byte) []byte
	Verify(signature, data []byte) bool
	GetClientSeqNum() uint32
	IsInitialized() bool
}

RPCAuthHandler is the interface for RPC authentication handlers. Both NTLM and Kerberos auth handlers implement this interface.

type TCPTransport 

type TCPTransport struct {
	Conn net.Conn
}

TCPTransport wraps a raw TCP connection for ncacn_ip_tcp.

func DialTCP 

func DialTCP(host string, port int) (*TCPTransport, error)

DialTCP connects to a remote host:port and returns a TCPTransport.

func NewTCPTransport 

func NewTCPTransport(conn net.Conn) *TCPTransport

func (*TCPTransport) Close 

func (t *TCPTransport) Close() error

func (*TCPTransport) Read 

func (t *TCPTransport) Read(b []byte) (int, error)

func (*TCPTransport) Write 

func (t *TCPTransport) Write(b []byte) (int, error)

type Transport 

type Transport interface {
	Read(b []byte) (int, error)
	Write(b []byte) (int, error)
	Close() error
}

Transport abstracts the underlying connection for DCE/RPC.

Source Files

View all Source files

Directories

Path Synopsis
Package bkrp implements the BackupKey Remote Protocol (MS-BKRP) for retrieving domain backup keys used to decrypt DPAPI secrets.
 Package bkrp implements the BackupKey Remote Protocol (MS-BKRP) for retrieving domain backup keys used to decrypt DPAPI secrets.
Package dcom implements the DCOM Remote Protocol (MS-DCOM).
 Package dcom implements the DCOM Remote Protocol (MS-DCOM).
oaut
Package oaut implements OLE Automation interfaces (IDispatch)
 Package oaut implements OLE Automation interfaces (IDispatch)
wmi
Package wmi implements the WMI Remote Protocol (MS-WMI).
 Package wmi implements the WMI Remote Protocol (MS-WMI).
Package gkdi implements the MS-GKDI (Group Key Distribution Protocol) RPC client.
 Package gkdi implements the MS-GKDI (Group Key Distribution Protocol) RPC client.
Package icpr implements the MS-ICPR (ICertPassage Remote Protocol) interface.
 Package icpr implements the MS-ICPR (ICertPassage Remote Protocol) interface.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.