skyghis / j-interop-ng

j-interop based on jcifs-ng
GNU Lesser General Public License v3.0
14 stars 8 forks source link

Raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application #20

Open devaskim opened 1 year ago

devaskim commented 1 year ago
The server-side authentication level policy does not allow the user DESKTOP-QPOBNNR\Admin SID (S-1-5-21-239355189-745547292-2783995333-1001) 
from address 192.168.0.5 to activate DCOM server. 
Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

and in application logs

Message not found for errorCode: 0x800706BA

Hi team,

First of all, I know a whole history of Microsoft's DCOM hardening and the reason why PR #17 was applied. But even with all these fixes/improvement from @pgharron my application cannot make ASYNC read from Matricon Simulation Server working on the same machine. SYNC read (device mode) works like a charm thanks to @pgharron

Maybe you guys, @skyghis or @pgharron, could point me out that is going wrong ?

I spent several weeks on this issue and no results yet ((((

All Windows RPC services are up. I disabled Windows Defender and Firewall, no antivirus, grant full remote and local DCOM permissions (activation, access and configuration) for all types of Windows user. Done all steps from official Matricon DCOM guides. In other words, my PC is security hole.

I initialized session with highest authentication level:

      JISession session = JISession.createSession(....);
      session.useNTLMv2(true);
      session.useSessionSecurity(true);

Debugger shows the protection level of NTLM connection is 6, i.e. PROTECTION_LEVEL_PRIVACY, i,e, the highest.

Please, note that the error description of Windows Event Viewer includes the IP of my WiFi adapter (192.168.0.5). But I need only localhost connection. Maybe this is the reason?

My connection parameters are the following:

host - 127.0.0.1
domain - _not set_
user - Admin (has admin permissions + DCOM user group)
password - admin 
CLSID - F8582CF2-88FB-11D0-B850-00C0F0104305

OS: Windows 10 Pro 22H2 19045.2846
pgharron commented 1 year ago

Hi @devaskim , sorry to hear you are having problems. I don't know what to suggest to be honest. My experience with j-interop is pretty limited - to the changes that I made recently. I don't have any experience with Matricon.

The error code 0x800706BA suggests that the RPC server is unavailable/not started? Is the Remote Registry service started - can't be that simple!?

Phil

devaskim commented 1 year ago

Thanks @pgharron for your attention. RPC is up. Remote Registry was disabled, but starting it didn't help. Just to remind it is localhost connection.

C:\WINDOWS\system32>Portqry.exe -n 192.168.0.5  -e 135

Querying target system called:

 192.168.0.5

Attempting to resolve IP address to a name...

IP address resolved to host.docker.internal

querying...

TCP port 135 (epmap service): LISTENING
devaskim commented 1 year ago

Definitely there is a misconfiguration of RPC, but could not find the root cause. 192.168.0.5 - is IP of my WiFi connection. Just to remind, my app and DCOM server is on the same machine

C:\Users\Admin\code\impacket\examples>rpcmap.py ncacn_ip_tcp:192.168.0.5[135]
Impacket v0.10.1.dev1+20230413.195351.6328a9b7 - Copyright 2022 Fortra

[-] Protocol failed: rpc_s_access_denied
[-] This usually means the credentials on the MSRPC level are invalid!

rpc

C:\Users\Admin\code\impacket\examples>rpcdump.py 192.168.0.5
Impacket v0.10.1.dev1+20230413.195351.6328a9b7 - Copyright 2022 Fortra

[*] Retrieving endpoint list from 192.168.0.5
....
....
[*] Received 354 endpoints.

@pgharron Sorry for interrupting you, maybe you could point me out where to search for the RPC root cause?

Thanks in advance

pgharron commented 1 year ago

No problem, sorry I can't be of more help.

As I mentioned my experience with the j-interop library is very limited.

I have tried the same tools rpcdump and rpcmap and they work for me - albeit not on the same server but over our network to a windows 2019 server in azure, from my linux workstation.

Are you running a Windows 2022 server? I couldn't make a connection the last time I tried, and decided to use Windows 2019 instead.

Phil

devaskim commented 1 year ago

I am on Windows 10 Pro 22H2 and Windows 7

pgharron commented 1 year ago

Could you try another machine?

devaskim commented 1 year ago

Do you mean Windows Server instead of desktop version? Because customer wants to use only Windows and only run both our application and OPC DA server on the same machine

pgharron commented 1 year ago

Well, just as a sanity check to see if it's that particular version of Windows/desktop combination.

pgharron commented 1 year ago

Hi @devaskim , did you have any success?

devaskim commented 1 year ago

@pgharron No, still no success. But got a lot of useful information from skilled guy on SO.

In a nutshell, java process should call in some way native CoInitializeSecurity API. Alternatively, there is possibility to do the same via Windows Registry.

So now am reading a lot of Windows manual and experimenting....

pgharron commented 1 year ago

Good luck! I wonder is there any way to spoof your machine/wiFi as localhost/127.0.0.1? Might be way off track here...

duduyoyo commented 4 months ago

Based on this link, j-interop doesn't have a fix corresponding to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. MS changes authentication level to it underneath even if you don't specify it in your code.

You mentioned Marticon Simulation Server, so I assume you are using classic OPC server. For that reason, there is a solution to let you use your preferred language to connect to a classic OPC server. So, you can use Java to retrieve OPC data back without worrying about any DCOM and its vulnerability issue anymore. Good luck!