pkg dcerpc

pkg/dcerpc - DCE/RPC Client Framework

DCE/RPC client supporting named pipe (SMB) and TCP transports, with NTLM and Kerberos authentication. Includes implementations of 15+ Windows RPC services.

Constructors

From SMB Named Pipe

func NewClient(pipe *smb2.File) *Client

smbClient := smb.NewClient(target, creds)
smbClient.Connect()

pipe, _ := smbClient.OpenPipe("svcctl")
rpcClient := dcerpc.NewClient(pipe)

From TCP Connection

func NewClientTCP(transport Transport) *Client

Binding

Method	Signature	Description
`Bind`	`(uuid [16]byte, major, minor uint16) error`	Bind without authentication
`BindWithSyntax`	`(uuid, transferUUID [16]byte, ...) error`	Bind with specific transfer syntax
`BindMulti`	`(bindings []InterfaceBinding) error`	Bind to multiple interfaces
`BindAuth`	`(uuid [16]byte, major, minor uint16, creds *session.Credentials) error`	NTLM-authenticated bind
`BindAuthKerberos`	`(uuid [16]byte, major, minor uint16, creds, target) error`	Kerberos-authenticated bind

RPC Calls

// Unauthenticated
func (c *Client) Call(opNum uint16, payload []byte) ([]byte, error)

// Authenticated (auto-selects NTLM or Kerberos)
func (c *Client) CallAuthAuto(opNum uint16, payload []byte) ([]byte, error)

CallAuthAuto handles fragmentation, signing, and encryption automatically.

RPC Service Implementations

Package	Interface UUID	Named Pipe	Description
`samr`	`12345778-1234-ABCD-EF00-0123456789AC`	`samr`	User/group management, password changes
`lsarpc`	`12345778-1234-ABCD-EF00-0000000000C0`	`lsarpc`	LSA policy, name/SID lookups
`winreg`	`338CD001-2244-31F1-AAAA-900038001003`	`winreg`	Remote registry access
`svcctl`	`367ABB81-9844-35F1-AD32-98F038001003`	`svcctl`	Service control manager
`tsch`	`86D35949-83C9-4044-B424-DB363231FD0E`	`atsvc`	Task Scheduler
`drsuapi`	`E3514235-4B06-11D1-AB04-00C04FC2DCD2`	`drsuapi`	Directory replication (DCSync)
`epmapper`	`E1AF8308-5D1F-11C9-91A4-08002B14A0FA`	`epmapper`	RPC endpoint mapper
`srvsvc`	`4B324FC8-1670-01D3-1278-5A47BF6EE188`	`srvsvc`	Server service (shares, sessions)
`wkssvc`	`6BFFD098-A112-3610-9833-46C3F87E345A`	`wkssvc`	Workstation service
`dcom`	`00020400-0000-0000-C000-000000000046`	(TCP)	DCOM activation
`netlogon`	`12345678-1234-ABCD-EF00-01234567CFFB`	`netlogon`	Netlogon (domain auth)
`bkrp`	`3D267E5B-B620-4E82-B19B-D5E40EEE3D7D`	`protected_storage`	DPAPI backup key retrieval
`icpr`	`91AE6020-9E3C-11CF-8D7C-00AA00C091BE`	`cert`	ADCS certificate request
`gkdi`	`B9679C50-0DFF-4C6F-BCE3-A95EB6FF8ED7`	(TCP)	Group Key Distribution Interface
`tsts`	(custom)	`tsts`	Terminal Services

Example: Authenticated RPC (NTLM)

pipe, _ := smbClient.OpenPipe("samr")
rpcClient := dcerpc.NewClient(pipe)

// NTLM-authenticated bind with packet privacy
rpcClient.BindAuth(samr.UUID, samr.MajorVersion, samr.MinorVersion, creds)

// All subsequent calls are encrypted
response, _ := rpcClient.CallAuthAuto(opNum, payload)

Example: Authenticated RPC (Kerberos)

creds.UseKerberos = true
creds.DCIP = "10.0.0.1"

pipe, _ := smbClient.OpenPipe("drsuapi")
rpcClient := dcerpc.NewClient(pipe)

rpcClient.BindAuthKerberos(drsuapi.UUID, drsuapi.MajorVersion, drsuapi.MinorVersion,
    creds, target)

response, _ := rpcClient.CallAuthAuto(opNum, payload)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pkg dcerpc

pkg/dcerpc - DCE/RPC Client Framework

Constructors

From SMB Named Pipe

From TCP Connection

Binding

RPC Calls

RPC Service Implementations

Example: Authenticated RPC (NTLM)

Example: Authenticated RPC (Kerberos)

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally