New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Freeze on RPC Bind #19
Comments
Hi! Thanks for the report. I think the issue is either authentication failure against the rpc end-point (which would cause the The fact that it gets to the RPC indicates that auth was successful against autodiscover though. So It's weird that there is this is failing. It could be that the RPC proxy is disabled. I'll try push add a check to see that RPC has authenticated correctly or if there is an error coming back from the channel setup. I'm struggling with channel synchronisation. In the meantime, could you try with |
If you could try the update I pushed into |
I can't build dev... but is my first time to download a specific branch from git (rather than just default), so maybe I am doing something wrong? Command:
|
Seems like some of the address book stuff I'm working on didn't get synced to the dev branch. I've pushed a pre-built binary to releases: https://github.com/sensepost/ruler/releases/tag/v2.0.18 Thanks for helping troubleshoot this 👍 |
Thanks here is the new message. |
Interesting, it all looks right. Can you try leaving off "--domain" ? |
Further update:
|
sorry, just seen your message to ping you.. will do... |
Error located! When BASIC auth was being used on the rpcproxy, I disabled Fixes in dev branch and in prelease: https://github.com/sensepost/ruler/releases/tag/v2.0.18 |
Hi,
I did build the last source code from the master branch (2.1.9). Is there any dev branch I can try ? Cheers! |
Hi, thanks for reporting this. These are notoriously difficult to debug. Could you try run with |
Yeah, sorry for the news. Using "--debug" doesn't provide any additional information unfortunately. Tcpdump doesn't show any traffic during the freeze. From time to time, I see some 0 length TCP packets (could be some keep-alive ..). I think having tried many combinations including --hash / --noencrypt / --basic (access denied) / --rpc / ... PS: Next week I will be in UK for the Sensepost BlackHat training. If you're part of the trainers, it might be easier to troubleshot. |
Ok, what I usually do is to use http://github.com/staaldraad/tcpprox to proxy the traffic and see what the issue might be. But seems like the connection is going through but Ruler isn't parsing the response packets correctly. One option might be to try build 2.1.7 or earlier. I changed the RPC parsing logic around then and maybe the newer logic breaks in this instance. I'm no longer with SensePost, but hopefully Vlad or Evangelos can help out if we haven't resolved this before then. P.S the training is awesome, hope you enjoy it! |
No luck with 2.1.6 nor 2.1.7. Not sure to use tcpprox correctly. Could you confirm this syntax ?: tcpprox says:
but 'ruler' fails to perform the autodiscovery now. Funny to see that tcpprox itself is at 99% of CPU ! Thanks. |
with tcpprox it acts as a transparent proxy, so what you'll need to do is So you have tried with |
Some more information.. Still no luck (or time) to retry tcpprox. I have:
|
Does it help to see this debug output ? Printf in RPCRead():
Output :
|
hey! Strange that the callID isn't incrementing. Could you try with otherwise if you could check out ruler the version around this commit: 89b36c6 The subsequent commit is where I brought in the "fragmentation" detection. That could be the breaker. Alternatively 2.1.1 or there about should also have the older RPC parsing logic and would hopefully work differently. |
Mmmm, no luck with versions Regarding |
Those are definitely bogus values, the expected is sequential starting at 1 😢 You could add some output to the "scan" method, and we could see what the packets look like:
Should help give some insight, I know what to expect :) Thanks for the thorough work on debugging this! |
With pleasure :) |
hmmm, there shouldn't be (you might spot NTLM auth header in the HTTP data, but you could sanitize that) - The RPC data would consist of the server side response to the NTLM hand-shake, but nothing more. |
if you use |
I think you will hate me ... The "Setting up channel" ends with a 401 (auth issue), I have 3 headers and the RPCBind ends with a 400 error claiming "Bad Request - Invalid Verb" :-/ |
Ok, it works ! No if I type the password instead AND provide Sorry for the wasted time. Maybe a check on the HTTP response code would be good for stupid peoples like me :-/ |
hahaha! brilliant! And this hasn't been a waste of time :) that freeze used to happen if I missed the HTTP response code. I thought I'd fixed the parser to handle it, seems like there is still an edge case that I've missed 👎 At least it's easier to fix than RPC issues!! P.S never write your own HTTP parser... Thanks again for a great report and all the effort! Enjoy the Black-ops training and say hi to Vlad and the guys for me |
Thanks for your time ;)
I will double check my NTLM hash and will do more tests on that side.
Cheers
…On 1 December 2017 16:23:54 CET, Etienne Stalmans ***@***.***> wrote:
hahaha! brilliant!
And this hasn't been a waste of time :) that freeze used to happen if I
missed the HTTP response code. I thought I'd fixed the parser to handle
it, seems like there is still an edge case that I've missed 👎 At
least it's easier to fix than RPC issues!!
P.S never write your own HTTP parser...
Thanks again for a great report and all the effort! Enjoy the Black-ops
training and say hi to Vlad and the guys for me
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#19 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
Just a last note, I feel stupid but the |
you are absolutely right, it is confusing 😕 I like the idea of |
When executing check or display commands, after autodiscover, "Binding to RPC" causes the ruler process to go to 99% CPU usage and nothing happens after waiting for a long time. This is on the Linux 64 troopers release.
On the slightly older (but most recently available) Windows release the following error occurs:
[x] An error occurred setting up RPC.
[x] Couldn't setup RPC channel - illegal base64 data at input byte 5
The text was updated successfully, but these errors were encountered: