DCE/RPC Remote Procedure Call

asked 2020-01-22 18:16:32 +0000

h1ghchilled
1 ●2 ●2

updated 2020-01-23 15:23:24 +0000

Hey there,

I need some help of somebody who knows what's going on here. I researched a lot about DCE/RPC but there is not very much detailed information available on the web. Maybe somebody here can give me some information on the following capture:

(no need to get too deep into details, but if you like to you're welcome :)

*screenshot added:

image description

No.     Time           Source                Destination           Protocol Length Info
     42 1495.384770518 *censored*        192.168.123.118       DCERPC   199    Ping: seq: 2274746402

    Frame 42: 199 bytes on wire (1592 bits), 199 bytes captured (1592 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
    User Datagram Protocol, Src Port: 27015, Dst Port: 27005
    Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Ping, Seq: 2274746402, Serial: 32836, Frag: 11049, FragLen: 4152

    No.     Time           Source                Destination           Protocol Length Info
         43 1500.652624583 *censored*        192.168.123.118       DCERPC   213    Fault: seq: 2256318484: status: Unknown (0x05f6b8ce)

    Frame 43: 213 bytes on wire (1704 bits), 213 bytes captured (1704 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
    User Datagram Protocol, Src Port: 27015, Dst Port: 27005
    Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Fault, Seq: 2256318484, Serial: 4, Frag: 7608, FragLen: 13051

No.     Time           Source                Destination           Protocol Length Info
     44 1505.945566549 *censored*        192.168.123.118       DCERPC   295    Nocall: seq: 75521284

Frame 44: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Nocall, Seq: 75521284, Serial: 32900, Frag: 38104, FragLen: 260

No.     Time           Source                Destination           Protocol Length Info
     45 1508.605860849 *censored*        192.168.123.118       DCERPC   273    Reject: seq: 997494462: status: Unknown (0x52ee2260)

Frame 45: 273 bytes on wire (2184 bits), 273 bytes captured (2184 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Reject, Seq: 997494462, Serial: 32836, Frag: 24606, FragLen: 42051

No.     Time           Source                Destination           Protocol Length Info
     46 1511.268238242 *censored*        192.168.123.118       DCERPC   285    Ack: seq: 1399001244

Frame 46: 285 bytes on wire (2280 bits), 285 bytes captured (2280 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Ack, Seq: 1399001244, Serial: 32879, Frag: 7880, FragLen: 51480

No.     Time           Source                Destination           Protocol Length Info
     47 1513.929900575 *censored*        192.168.123.118       DCERPC   302    Cl_cancel: seq: 3752523524

Frame 47: 302 bytes on wire (2416 bits), 302 bytes captured (2416 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118 ...

(more)

edit retag flag offensive close merge delete

Comments

*hint: It might be an exploit via Steam-Client on these ports. It has nothing to do with a game or anything, and it appears randomly, unexpected. Maybe something non-public?

h1ghchilled ( 2020-01-23 15:05:12 +0000 )edit

add a comment

answered 2020-01-24 03:37:57 +0000

Guy Harris
19890 ●3 ●634 ●207

These might just be non-DCE RPC packets misidentified as DCE RPC because the heuristics Wireshark uses to recognize DCE RPC packets can get false positives (no heuristic is perfect), and those packets just happen to have the same values in certain locations that DCE RPC packets do.

edit flag offensive delete link

Comments

Thank you for your answer. But how realistic is it that wireshark misinterprets it's like that:

The sequences from Packet 1 (Fault) to packet 23 (Orphaned) always repeat in the same pattern. I mean it clearly shows the seq.-numbers and stuff. One day it doesn't happen, the next day it happens 2-3 times in a row (never more), if I'm online with Steam (ingame on a server). To me it rather looks like somebody/something tries to send an exploit (maybe targeting windows-machines) and realizes after 2-3 tries that it doesn't work. However I can be wrong.

How to be sure?

h1ghchilled ( 2020-01-24 13:30:49 +0000 )edit

add a comment

DCE/RPC Remote Procedure Call

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

DCE/RPC Remote Procedure Call edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

DCE/RPC Remote Procedure Call