Handle no more entries response from ept_lookup rpc call #1849
+8
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anadrianmanrique
added
in review
|
Thanks for the PR @AndreasLrx . Could you provide more context regarding the scenario you're trying (besides being SAMBA AD) ? Is rpcdump.py failing against the target? |
anadrianmanrique
added
the
waiting for response
|
Nothing specific about the context, expect being a SAMBA AD. I'm just trying to list the rpc endpoints to find a specific one which is missing in SAMBA AD. Without the fix, rpcdump.py is failing with the following output: $ rpcdump.py MYDOMAIN/admin:[email protected] -debug
Impacket v0.13.0.dev0+20241119.85549.6d3cce8c - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/local/lib/python3.9/site-packages/impacket-0.13.0.dev0+20241119.85549.6d3cce8c-py3.9.egg/impacket
[*] Retrieving endpoint list from mydomain.lan
[+] StringBinding ncacn_ip_tcp:mydomain.lan[135]
[-] Protocol failed: DCERPC Runtime Error: code: 0x16c9a0d6 - ept_s_not_registered
[*] No endpoints found.And with the fix it behaves as expected: $ rpcdump.py MYDOMAIN/admin:[email protected] -debug
Impacket v0.13.0.dev0+20241119.85549.6d3cce8c - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/local/lib/python3.9/site-packages/impacket-0.13.0.dev0+20241119.85549.6d3cce8c-py3.9.egg/impacket
[*] Retrieving endpoint list from mydomain.lan
[+] StringBinding ncacn_ip_tcp:mydomain.lan[135]
[...]
[*] Received 53 endpoints.And yes you're totally right about re raising the exception, I'll amend the commit 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi 👋
This PR aims to allow usage of ept_lookup with Samba Active Directory.
[MS-RPC] protocol documentation section 2.2.1.2.4 (about ept_lookup) specify the status
0x16C9A0D6must not be treated as an error but instead inform the caller there are no more elements.Of course this is not what an MSAD does, it instead always return a status code of 0 and clear the handle when there is no more elements (which explain the existing codebase)
When looking at error codes in rpcrt.py,
0x16C9A0D6is associated withept_s_not_registeredmessage.And the
rpc_s_no_more_entriesmessage with0x16c9a091code.I couldn't find actual documentation of this error code (outside in [MS-RPC]), it doesn't even appear in [MS-ERREF] documentation, which is why I didn't changed the error codes in rpcrt.py but instead used it directly in ept_lookup.