MS-RPC IDL Parser/Codegen for Go / MS-RPC/DCOM Client

The IDL parser for the Microsoft Extension of the C706: DCE/RPC 1.1.

The client stub generator for many MSRPC / DCOM services including (but not limited to - see complete list below) Netlogon, Windows Registry, Eventlog, DCOM (OXID resolver), WMI (query and method exec) support.

Usage

Examples

See examples/samples_with_config and msrpc package documentation.

# run using string binding extension.
go run examples/samples_with_config/dnsp.go Administrator%P@ssw0rd@ncacn_ip_tcp:dc01.msad.local[privacy,spnego,krb5]

go run examples/samples_with_config/wmic.go Administrator%P@ssw0rd@ncacn_ip_tcp:dc01.msad.local[privacy,spnego,krb5] \
    --query "SELECT * FROM Win32_ComputerSystem"

# same as above, but using command-line args
go run examples/samples_with_config/dnsp.go \
    --username=Administrator \
    --domain=MSAD.LOCAL \
    --password=P@ssw0rd \
    --auth-level=privacy \
    --auth-spnego \
    --auth-type=krb5 \
    --server=dc01.msad.local

Examples (Old)

See examples and dcerpc package documentation.

Examples rely on following environment variables:

Name	Description	Example
USERNAME	The Domain\Username	"MSAD2.COM\User"
PASSWORD	The password	"password"
PASSWORD_MD4	The password hash (use go run examples/helpers/nt_hash.go -d $PASSWORD to generate the hash)	"f077ca4b7d73486a45e75dcdd74cd5bd"
WORKSTATION	The workstation name	"Ubuntu"
SERVER	The server FQDN or IP	"192.168.0.22"
SERVER_NAME	The server NetBIOS name	"WIN2019"
SERVER_HOST	The server FQDN	"my-server.win2019.com"
SAM_USERNAME	The machine account name (see examples/netlogon_sec_channel.go)	"COMPUTER$"
SAM_PASSWORD	The machine account password (see examples/netlogon_sec_channel.go)	"password"
SAM_WORKSTATION	The machine account workstation name	"COMPUTER"
TARGET	The target name (SPN) for kerberos.	"host/my-server.win2019.com"
KRB5_CONFIG	The kerberos config path.	"/path/to/krb5.conf"

For codegeneration, run make all to regenerate all sources, or make nrpc.go.

Features

Connection-oriented DCE/RPC v5 client implementation

The library implements the CO RPC v5 (dcerpc package) with following features:

• Transfer Syntax NDR2.0 and NDR64

• CO transport over Named Pipe (SMB2/3) and TCP.

• Connection Multiplexing: multiple clients over single connection

• Multiple Connection per Association Group: ability to use context handles from one connection on another, flexibility in arranging the clients-per-connection-per-association

• Verification Trailer: ability to add verification trailer to the request payload

• Kerberos, Netlogon, NTLM, SPNEGO Authentication

• Endpoint mapper / string binding support

• DCOM basic support

• Eventlog BinXML parser

• WMIO object unmarshaler / marshaler.

MS-RPCE Extensions

The library implements some of the extensions defined in MS-RPCE document:

• Security Context Multiplexing: ability to create multiple security contexts over the same logical connection.

• Bind-time Feature Negotiation: (actually not a feature).

• Header Signing: (legacy thing)

• NDR64

GSS-API / SSP Client Side

The library contains the GSS-API interface definitions. (ssp/gssapi)

The library contains the ssp package which has an implementation for the various security service providers, like Kerberos, NTLM, Netlogon (Secure Channel), SPNEGO.

The kerberos implementation is based on the jcmturner/gokrb5 fork. Any changes or feature requests should be addressed there.

• GSSAPI interface implementation including Wrap/GetMic-Ex-methods defined in Microsoft documentation

• Kerberos:

  • Supported Encryption Types:

    • RC4-HMAC

    • DES-CBC-MD5

    • DES-CBC-CRC

    • AES128-CTS-HMAC-SHA1

    • AES256-CTS-HMAC-SHA1

  • DCE Style AP Request and AP Reply

  • Mutual and Non-mutual Authn

• NTLM

  • Supported Versions: NTLMv1, NTLMv2

• Netlogon:

  • Supported Encryption Types:

    • RC4-HMAC

    • AES-SHA2

• SPNEGO:

  • Supported Mech List MIC

  • Supported NegTokenInit2

SMB2 Client

The SMB2 client implementation is based on the hirochachacha/go-smb2 fork. Any changes or feature requests should be addressed there.

The set of changes includes:

• SMB2 Force-Encryption Support

• Integration with ssp/gssapi for Kerberos/NTLM authentication.

• Fix for NT_STATUS_PENDING error

• Keying material export (Application Key, Session Key)

Generated Stubs

Code	Description	Package
MS-ADTS	Active Directory Technical Specification: Claims	github.com/oiweiwei/go-msrpc/msrpc/adts
MS-EVEN6-BINXML	BinXml encodes an XML document so that the original XML text can be correctly reproduced from the encoding.	github.com/oiweiwei/msrpc/binxml
MS-BKRP	BackupKey Remote Protocol	github.com/oiweiwei/msrpc/bkrp
MS-BPAU	Background Intelligent Transfer Service (BITS) Peer-Caching: Peer Authentication Protocol	github.com/oiweiwei/msrpc/bpau
MS-BRWSA	Common Internet File System (CIFS) Browser Auxiliary Protocol	github.com/oiweiwei/msrpc/brwsa
MS-CAPR	Central Access Policy Identifier (ID) Retrieval Protocol	github.com/oiweiwei/msrpc/capr
MS-CMPO	MSDTC Connection Manager: OleTx Transports Protocol	github.com/oiweiwei/msrpc/cmpo
MS-CMRP	Failover Cluster: Management API (ClusAPI) Protocol	github.com/oiweiwei/msrpc/cmrp
MS-DFSNM	Distributed File System (DFS): Namespace Management Protocol	github.com/oiweiwei/msrpc/dfsnm
MS-DHCPM	Microsoft Dynamic Host Configuration Protocol (DHCP) Server Management Protocol	github.com/oiweiwei/msrpc/dhcpm
MS-DLTM	Distributed Link Tracking: Central Manager Protocol	github.com/oiweiwei/msrpc/dltm
MS-DLTW	Distributed Link Tracking: Workstation Protocol	github.com/oiweiwei/msrpc/dltw
MS-DNSP	Domain Name Service (DNS) Server Management ProtocolDomain Name Service (DNS) Server Management Protocol	github.com/oiweiwei/msrpc/dnsp
MS-DRSR	Directory Replication Service (DRS) Remote Protocol	github.com/oiweiwei/msrpc/drsr
MS-DSSP	Directory Services Setup Remote Protocol	github.com/oiweiwei/msrpc/dssp
MS-DTYP	Windows Data Types	github.com/oiweiwei/msrpc/dtyp
MS-EERR	ExtendedError Remote Data Structure	github.com/oiweiwei/msrpc/eerr
MS-RPCE-EPM C706-EPM	Endpoint Mapper	github.com/oiweiwei/msrpc/epm
MS-ERREF	Windows Error Codes	github.com/oiweiwei/msrpc/erref
MS-EVEN	EventLog Remoting Protocol	github.com/oiweiwei/msrpc/even
MS-EVEN6	EventLog Remoting Protocol Version 6.0	github.com/oiweiwei/msrpc/even6
MS-FASP	Firewall and Advanced Security Protocol	github.com/oiweiwei/msrpc/fasp
MS-FAX	Fax Server and Client Remote Protocol	github.com/oiweiwei/msrpc/fax
MS-ICPR	ICertPassage Remote Protocol	github.com/oiweiwei/msrpc/icpr
MS-IRP	Internet Information Services (IIS) Inetinfo Remote Protocol	github.com/oiweiwei/msrpc/irp
MS-LREC	Live Remote Event Capture (LREC) Protocol	github.com/oiweiwei/msrpc/lrec
MS-LSAD	Local Security Authority (Domain Policy) Remote Protocol	github.com/oiweiwei/msrpc/lsad
MS-LSAT	Local Security Authority (Translation Methods) Remote Protocol	github.com/oiweiwei/msrpc/lsat
MS-MQDS	Message Queuing (MSMQ): Directory Service Protocol	github.com/oiweiwei/msrpc/mqds
MS-MQMP	Message Queuing (MSMQ): Queue Manager Client Protocol	github.com/oiweiwei/msrpc/mqmp
MS-MQMQ	Message Queuing (MSMQ): Data Structures	github.com/oiweiwei/msrpc/mqmq
MS-MQMR	Message Queuing (MSMQ): Queue Manager Management Protocol	github.com/oiweiwei/msrpc/mqmr
MS-MQQP	Message Queuing (MSMQ): Queue Manager to Queue Manager Protocol	github.com/oiweiwei/msrpc/mqqp
MS-MQRR	Message Queuing (MSMQ): Queue Manager Remote Read Protocol	github.com/oiweiwei/msrpc/mqrr
MS-MSRP	Messenger Service Remote Protocol	github.com/oiweiwei/msrpc/msrp
MS-NEGOEX	SPNEGO Extended Negotiation (NEGOEX) Security Mechanism	github.com/oiweiwei/msrpc/negoex
MS-NRPC	Netlogon Remote Protocol	github.com/oiweiwei/msrpc/nrpc
MS-NRPC-SECCHANNEL	Secure Channel Establishment and Maintenance	github.com/oiweiwei/msrpc/nrpc
MS-NSPI	Name Service Provider Interface (NSPI) Protocol	github.com/oiweiwei/msrpc/nspi
MS-OXABREF	Address Book Name Service Provider Interface (NSPI) Referral Protocol
MS-OXCRPC	Wire Format Protocol	github.com/oiweiwei/msrpc/oxcrpc
MS-PAC	Privilege Attribute Certificate Data Structure	github.com/oiweiwei/msrpc/pac
MS-PAN	Print System Asynchronous Notification Protocol	github.com/oiweiwei/msrpc/pan
MS-PAR	Print System Asynchronous Remote Protocol	github.com/oiweiwei/msrpc/par
MS-PCQ	Performance Counter Query Protocol	github.com/oiweiwei/msrpc/pcq
MS-RAA	Remote Authorization API Protocol	github.com/oiweiwei/msrpc/raa
MS-RAIW	Remote Administrative Interface: WINS	github.com/oiweiwei/msrpc/raiw
MS-RPCL	Remote Procedure Call Location Services Extensions	github.com/oiweiwei/msrpc/rpcl
MS-RPRN	Print System Remote Protocol	github.com/oiweiwei/msrpc/rprn
MS-RRP	Windows Remote Registry Protocol	github.com/oiweiwei/msrpc/rrp
MS-RSP	Remote Shutdown Protocol	github.com/oiweiwei/msrpc/rsp
MS-SAMR	Security Account Manager (SAM) Remote Protocol (Client-to-Server)	github.com/oiweiwei/msrpc/samr
MS-SCH	Task Scheduler Service Remoting Protocol	github.com/oiweiwei/msrpc/sch
MS-SCMR	Service Control Manager Remote Protocol	github.com/oiweiwei/msrpc/scmr
MS-SRVS	Server Service Remote Protocol	github.com/oiweiwei/msrpc/srvs
MS-SSP	Single Sign-On Protocol	github.com/oiweiwei/msrpc/ssp
MS-SWN	Service Witness Protocol	github.com/oiweiwei/msrpc/swn
MS-TRP	Telephony Remote Protocol	github.com/oiweiwei/msrpc/trp
MS-TSCH	Task Scheduler Service Remoting Protocol	github.com/oiweiwei/msrpc/tsch
MS-TSGU	Terminal Services Gateway Server Protocol	github.com/oiweiwei/msrpc/tsgu
MS-W32T	W32Time Remote Protocol	github.com/oiweiwei/msrpc/w32t
MS-WDSC	Windows Deployment Services Control Protocol	github.com/oiweiwei/msrpc/wdsc
MS-WKST	Workstation Service Remote Protocol	github.com/oiweiwei/msrpc/wkst

Generated DCOM Stubs

Code	Description	Package
MS-DCOM	Distributed Component Object Model (DCOM) Remote Protocol	github.com/oiweiwei/msrpc/dcom
MS-ADTG	Remote Data Services (RDS) Transport Protocol	github.com/oiweiwei/msrpc/adtg
MC-CCFG	Server Cluster: Configuration (ClusCfg) Protocol	github.com/oiweiwei/msrpc/ccfg
MS-COM	Component Object Model Plus (COM+) Protocol	github.com/oiweiwei/msrpc/com
MS-COMA	Component Object Model Plus (COM+) Remote Administration Protocol	github.com/oiweiwei/msrpc/coma
MS-COMEV	Component Object Model Plus (COM+) Event System Protocol	github.com/oiweiwei/msrpc/comev
MS-COMT	Component Object Model Plus (COM+) Tracker Service Protocol	github.com/oiweiwei/msrpc/comt
MS-CSRA	Certificate Services Remote Administration Protocol	github.com/oiweiwei/msrpc/csra
MS-CSVP	Failover Cluster: Setup and Validation Protocol (ClusPrep)	github.com/oiweiwei/msrpc/csvp
MS-DFSRH	DFS Replication Helper Protocol	github.com/oiweiwei/msrpc/dfsrh
MS-DMRP	Disk Management Remote Protocol	github.com/oiweiwei/msrpc/dmrp
MS-FSRM	File Server Resource Manager Protocol	github.com/oiweiwei/msrpc/fsrm
MC-IISA	Internet Information Services (IIS) Application Host COM Protocol	github.com/oiweiwei/msrpc/iisa
MS-IISS	Internet Information Services (IIS) ServiceControl Protocol	github.com/oiweiwei/msrpc/iiss
MS-IMSA	Internet Information Services (IIS) IMSAdminBaseW Remote Protocol	github.com/oiweiwei/msrpc/imsa
MS-IOI	IManagedObject Interface Protocol	github.com/oiweiwei/msrpc/ioi
MS-OAUT	OLE Automation Protocol	github.com/oiweiwei/msrpc/oaut
MS-OCSPA	Microsoft OCSP Administration Protocol	github.com/oiweiwei/msrpc/ocspa
MS-PLA	Performance Logs and Alerts Protocol	github.com/oiweiwei/msrpc/pla
MS-RAI	Remote Assistance Initiation Protocol	github.com/oiweiwei/msrpc/rai
MS-RDPESC	Remote Desktop Protocol: Smart Card Virtual Channel Extension	github.com/oiweiwei/msrpc/rdpesc
MS-VDS	Virtual Disk Service (VDS) Protocol	github.com/oiweiwei/msrpc/vds
MS-WCCE	Windows Client Certificate Enrollment Protocol	github.com/oiweiwei/msrpc/wcce
MS-WMI	Windows Management Instrumentation Remote Protocol	github.com/oiweiwei/msrpc/wmi
MS-WMIO	Windows Management Instrumentation Encoding Version 1.0 Protocol	github.com/oiweiwei/msrpc/wmio

Documentation

The codegen package also generates the documentation for the generated code pulled from the MSDN portal. (it can be quite inaccurate with determining general comment boundaries vs actual field descriptions, so inaccurate can be an HTML on MSDN side).

Naming

The codegen/go_names contains the ad-hoc naming engine, which sometimes quite sucks (so does the overall naming convention in IDL documents, seriously, how much time the average microsoft developer saves by writing para instead of param), but for most of the situations, provide a way to generate the names that comply with golang naming convention and give more intuition behind this or that field.

Generated Stubs

MIDL Implementation Limitations

• L.0001: #define statements are applicable only for constant declaration;

• L.0002: cpp_quote contents are limited only for constant declaration;

• L.0005: int const declaration is not supported.

• L.0006: wchar_t, status_error_t are predefined.

TODO

• Testing (I don't have much time)

• Handle reserved arguments/structure fields used for switch_is and size_is statements.

• Derive the type from field name, like ^f[A-Z] -> boolean.

• Pipes support

• Callbacks Support / Server-Side Support

• Static strings

• Investigate: Association Group ID is not shared across several named pipe connections. (each NP requires dedicated connection).

• Convenient way to combine SPNEGO and NTLM/KRB5 within connection option.

Open Questions

• Why IObjectExporter does not support NDR64?

• Why server returns indistinguishable pointers for NDR64?

• Why SMB2 does not support certain auth levels (ie Winreg supports only Insecure and Privacy)?

References

Without these projects, it would be absolutely impossible to implement go-msrpc.

• Samba

• Impacket

• go-smb2

• go-krb5

Collaboration

Don't hesitate to raise an issues (and only then raise a PR), the project is quite raw, and I don't have much time, so, a lot of errors and issues are yet to discover.