This code in this repository is a demonstration of calling Windows
RPC's from Linux using both impacket and samba. For a long time
its been on my ToDo list to better understanding how Windows RPC
works, and how to go from reading the specification documents to
calling the procedures without relying on MS tools (in this case,
certreq can call the ICPR interface when called with
-submit and -rpc).
Essentially the same program has been written twice. Once in
CertServerRequest.py and is built over the
impacket library. The second is in main.c and uses the
samba library libdcerpc (as well as a couple others).
The program just calls CertServerRequest, which is used to submit a
CSR to a Windows Active Directory Certificate Authority. I suggest
familiarising yourself with the MS-ICPR specification document
(and large parts of both MS-WCCE, MS-CRTD) to properly understand what
the parameters mean.
The python script only requires installing impacket
first, then it should work.
To compile the C program is a little more involved. First, install
the development version of samba.
apt install samba-devThen, to compile the IDL file pidl is required. This is a
tool written by the Samba team and used for building both client and
server stubs. This can be obtained by obtaining a version of the
samba source code.
Then just run make with a suitable path:
PATH=/path/to/samba/pidl/:${PATH} makeI started writing these programs while playing the SIZZLE machine on
HackTheBox. There I realised that the enrolment web portal (CES) was
just a luxury as it was possible to enrol the certificate directly
over DECRPC (or DCOM) using certreq. But I was interested
to see if it could be done without using certreq.
Initially I tried focusing on the python version as I thought it would
be easiest. However, as I am inexperienced with DCERPC and impacket
does not provide a IDL compiler, it required writing the
interface bindings by hand. This needed a good understanding of the
IDL file format and the NDR protocol used for representing
the data. Often I would hit the error RPC_X_BAD_STUB_DATA, meaning
that the server expected the data in a different format.
So I started again with a C program that had NDR stubs
generated by Samba. This was easier to get a working
solution. However, it took a little while to properly understand
exactly how to call the library functions to bind correctly to the
ICPR interface with the correct authentication settings. But this is a
one time learning curve.
After this, it was fairly simple to compare a valid request structure
with that generated by impacket and tweak the data structures to
align.
Copyright Karim Kanso, 2021. All rights reserved. Licensed under GPLv3.