RPC to Go v.2
? ???? ??? RPC to Go v1? ???????. ??? ???? v.1? ?? ??? ??? RPC protocol? ????? ???? ??? ??? ??? ?????. ? ?????? ????, End Point Mapper bind ??? RPC bind? ?? ? ? ??? ??? ???? ? ????. ??? ????? ?? ???? ???? troubleshooting tool? ?? ??? ? ????. “RPC to Go” blog? troubleshooting reference? ? ? ??? ?????.
??? ??
???? – ?? ???? Marsharlling? ????? ??? ??? .
??? ??? v.1?? RPC process? ???? ??? Marsharlling? ??? ?? ?????. RPC stub? Rumtime API? ??? ?????. Marsharlling? ??? data? ???? ???? ????. Network data representation(NDR)? NDR20(32-bit OS)? NDR64(64-bit OS)?? ?????. NDR ?? transfer syntax? client stub? server stub?? ???? ?? ???. ??? ?? ???? ???? syntacx conflict? ?? ? ????. ?? ??, application? ??? UUID? end point mapper? ????? transfer syntax? ??? ? ????. ?? ?????? ??? ?? ??? ?? ? ????. “The transfer syntax is not supported by the RPC server”
Network Captures
Client connection to the End Point Mapper.
End Point Mapper?? connection?? bind? map request? ?????.
Frame 4: Bind request to the EndPoint mapper
4 10:41:50.101297 10.32.30.66 10.1.200.2 DCERPC Bind: call_id: 1 EPMv4 V3.0Transmission Control Protocol, Src Port: sdo (3635), Dst Port: epmap (135), Seq: 1060393319, Ack: 3285256023, Len: 72
The 32bit NDR is presented in the request
Transfer Syntax[1]: 8a885d04-1ceb-11c9-9fe8-08002b104860 V2
Frame 5: Bind_Ack from the EndPoint Mapper
5 10:41:50.102274 10.1.200.2 10.32.30.66 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
Inside frame 5:
DCE/RPC Endpoint Mapper, Map
Operation: Map (3)
[Response in frame: 7]
UUID pointer:
Referent ID: 0x00000001
UUID: 00000000-0000-0000-0000-000000000000
Tower pointer:
Referent ID: 0x00000002
Length: 75
Length: 75
Number of floors: 5
Floor 1 UUID: LSA
LHS Length: 19
Protocol: UUID (0x0d)
UUID: LSA (12345778-1234-abcd-ef00-0123456789ab)
Version 0.0
RHS Length: 2
Version Minor: 0
Floor 2 UUID: Version 1.1 network data representation protocol
LHS Length: 19
Protocol: UUID (0x0d)
UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860)
Version 2.0
RHS Length: 2
Version Minor: 0
Floor 3 RPC connection-oriented protocol
LHS Length: 1
Protocol: RPC connection-oriented protocol (0x0b)
RHS Length: 2
Floor 4 TCP Port:135
LHS Length: 1
Protocol: DOD TCP (0x07)
RHS Length: 2
TCP Port: 135
Floor 5 IP:0.0.0.0
LHS Length: 1
Protocol: DOD IP (0x09)
RHS Length: 4
IP: 0.0.0.0 (0.0.0.0)
Handle: 0000000000000000000000000000000000000000
Max Towers: 4
The Map Response. ?? ??? Floor 4?? ??? ? ?? IP address? ??? Floor 5?? ??? ? ????. ??? ?? ?? ??? ??? Floor 4??? ??? ??? ?????. ???? ??? ????? ?? ??? ??? ??? IP address? ???? ?? ???? ????. ??? Map response?? ???? ??? ??? ? ????.
DCE/RPC Endpoint Mapper, Map
Operation: Map (3)
[Request in frame: 6]
Handle: 0000000000000000000000000000000000000000
Num Towers: 2
Tower array:
Max Count: 4
Offset: 0
Actual Count: 2
Tower pointer:
Referent ID: 0x00000003
Length: 75
Length: 75
Number of floors: 5
Floor 1 UUID: LSA
LHS Length: 19
Protocol: UUID (0x0d)
UUID: LSA (12345778-1234-abcd-ef00-0123456789ab)
Version 0.0
RHS Length: 2
Version Minor: 0
Floor 2 UUID: Version 1.1 network data representation protocol
LHS Length: 19
Protocol: UUID (0x0d)
UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860)
Version 2.0
RHS Length: 2
Version Minor: 0
Floor 3 RPC connection-oriented protocol
LHS Length: 1
Protocol: RPC connection-oriented protocol (0x0b)
RHS Length: 2
Floor 4 TCP Port:1600
LHS Length: 1
Protocol: DOD TCP (0x07)
RHS Length: 2
TCP Port: 1600 -- Port to use for application access
Floor 5 IP:10.1.200.2
LHS Length: 1
Protocol: DOD IP (0x09)
RHS Length: 4
IP: 10.1.200.2 (10.1.200.2) – IP the application is listening on.
Tower pointer:
Referent ID: 0x00000004
Length: 75
Length: 75
Number of floors: 5
Floor 1 UUID: LSA
LHS Length: 19
Protocol: UUID (0x0d)
UUID: LSA (12345778-1234-abcd-ef00-0123456789ab)
Version 0.0
RHS Length: 2
Version Minor: 0
Floor 2 UUID: Version 1.1 network data representation protocol
LHS Length: 19
Protocol: UUID (0x0d)
UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860)
Version 2.0
RHS Length: 2
Version Minor: 0
Floor 3 RPC connection-oriented protocol
LHS Length: 1
Protocol: RPC connection-oriented protocol (0x0b)
RHS Length: 2
Floor 4 TCP Port:1025
LHS Length: 1
Protocol: DOD TCP (0x07)
RHS Length: 2
TCP Port: 1025 – Port to use for application access (different from first tower)
Floor 5 IP:10.1.200.2
LHS Length: 1
Protocol: DOD IP (0x09)
RHS Length: 4
IP: 10.1.200.2 (10.1.200.2) – IP application is listening on.
Return code: 0x00000000
Connection to the App
Application??? ??? ?? ???? RPC bind? ??? operation number(OpNum)? ?????. ? bind? call_id? ??? ?? ???.
Frame 11: RPC Bind Request from the client
11 10:41:50.148172 10.32.30.66 10.1.200.2 DCERPC Bind: call_id: 1 LSA V0.0
Frame 11 (184 bytes on wire, 184 bytes captured)
Internet Protocol, Src: 10.32.30.66 (10.32.30.66), Dst: 10.1.200.2 (10.1.200.2)
Transmission Control Protocol, Src Port: servistaitsm (3636), Dst Port: issd (1600), Seq: 3000314679, Ack: 2455167807, Len: 130
DCE RPC Bind, Fragment: Single, FragLen: 130, Call: 1
Frame 12: RPC Bind Ack from the Server
12 10:41:50.148172 10.1.200.2 10.32.30.66 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
Frame 12 (134 bytes on wire, 134 bytes captured)
Internet Protocol, Src: 10.1.200.2 (10.1.200.2), Dst: 10.32.30.66 (10.32.30.66)
Transmission Control Protocol, Src Port: issd (1600), Dst Port: servistaitsm (3636), Seq: 2455167807, Ack: 3000314809, Len: 80
DCE RPC Bind_ack, Fragment: Single, FragLen: 80, Call: 1
Frame 13: You see the OpNum presented to the server.
RPC: c/o Request: LSARpc {12345778-1234-ABCD-EF00-0123456789AB} Call=0x1 Opnum=0x4C Context=0x0 Hint=0x7C
?????? ?? ??? ??? ?????? process? ???? ??? ??? OpNum? ??? ?? ???.
- ? ??????? ??? operation number ??? ??? ????.
???? ???
Service Doesn’t Register with the Endpoint Mapper
- network capture?? UUID? ??? “invalid syntax”? ??? ? ????.
Firewall blocking application port
- EPM(tcp 135) ??? ????? app? endpoint mapper? ??? port(?? 1600)?? ??? ???(???? ?? ?????)? ??? ??? ? ????.
- KB 899148? ?? ?????.
Troubleshooting
- Tools:
Network Monitor 3.3 – end point mapper? RPC port?? bind ??? ??? ? ?? ??? ????. ??? SYN ??? ????? ??? ?? ?? ?? ??? ??? ? ????. ?? ???? ????? SYN? ??? ??? ? ????. ?? ???? ????? ????? SYN? ??? ?? ???. WireShark ?? Network Monitor? ?????.
PortQry – endpoint mapper? query?? ??? UUID? ??? ??? ? ?? ?????. ??? ??? ?? ?? ???:
UDP port 135 (epmap service): LISTENING or FILTERED
Querying Endpoint Mapper Database...
Server's response:
UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:169.254.12.191[4144]
UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\MYSERVER[\\PIPE\\lsass]
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:169.254.12.191[1030]
RPC? ???? troubleshooting?? ?? ????. troubleshooting? ?? ??? ??? ??? ?????? ???? ????. ??? ?? ??? ?? ? ????":
- ?? ??? ??????? ????? ?? ???? ?? ???? ???? ??? ???? debugging? ??? ? ????.
- ??? ????: ?????? ??? ???? ??? ??? ??? ???? ??? ?????
- ?? End Point Mapper? ???? ??? ???? ???? ??? ??? SYN ??? ?? ? ????. ??? ???? ????? ???.
? ???? RPC? ?? ? ? ?????? ????.
- Rich Chambers