Skip to content

oiweiwei/go-msrpc

BranchesTags

Repository files navigation

go-msrpc

Go Reference Go Report Card

MS-RPC/DCOM client library for Go. Implements the Microsoft Extension of C706: DCE/RPC 1.1 and includes ready-to-use generated stubs for all major Windows RPC and DCOM protocols: Netlogon, Windows Registry, Eventlog, WMI (query, exec), DCOM/OXID, and many more.

Installation

go get github.com/oiweiwei/go-msrpc

Quick Start

package main

import (
    "context"
    "fmt"

    "github.com/oiweiwei/go-msrpc/dcerpc"
    "github.com/oiweiwei/go-msrpc/msrpc/rrp/winreg/v1"
    "github.com/oiweiwei/go-msrpc/ssp"
    "github.com/oiweiwei/go-msrpc/ssp/credential"
    "github.com/oiweiwei/go-msrpc/ssp/gssapi"

    _ "github.com/oiweiwei/go-msrpc/msrpc/erref/win32"
)

func main() {
    ctx := gssapi.NewSecurityContext(context.Background(),
        gssapi.WithCredential(credential.NewFromPassword("DOMAIN\\User", "password")),
        gssapi.WithMechanismFactory(ssp.SPNEGO),
        gssapi.WithMechanismFactory(ssp.NTLM),
    )

    // connect to server
    cc, err := dcerpc.Dial(ctx, "192.168.1.1", dcerpc.WithEndpoint("ncacn_np:[winreg]"))
    if err != nil {
        panic(err)
    }

    // create protocol client (MS-RRP)
    cli, err := winreg.NewWinregClient(ctx, cc, dcerpc.WithSeal())
    if err != nil {
        panic(err)
    }

    // make RPC call
    resp, err := cli.OpenLocalMachine(ctx, &winreg.OpenLocalMachineRequest{
        DesiredAccess: winreg.KeyRead,
    })
    if err != nil {
        panic(err)
    }

    fmt.Printf("HKLM handle: %v\n", resp.Key)
}

See examples/samples_with_config and the msrpc package documentation.

# Using string binding format
go run examples/samples_with_config/dnsp.go Administrator%P@ssw0rd@ncacn_ip_tcp:dc01.msad.local[privacy,spnego,krb5]

go run examples/samples_with_config/wmic.go Administrator%P@ssw0rd@ncacn_ip_tcp:dc01.msad.local[privacy,spnego,krb5] \
    --query "SELECT * FROM Win32_ComputerSystem"

# Using explicit flags
go run examples/samples_with_config/dnsp.go \
    --username=Administrator \
    --domain=MSAD.LOCAL \
    --password=P@ssw0rd \
    --auth-level=privacy \
    --auth-spnego \
    --auth-type=krb5 \
    --server=dc01.msad.local

Older examples in examples/ use environment variables instead:

Variable Description Example
USERNAME Domain\Username "MSAD2.COM\User"
PASSWORD Password "password"
PASSWORD_MD4 NT hash (generate with nt_hash.go) "f077ca4b7d73486a45e75dcdd74cd5bd"
WORKSTATION Workstation name "Ubuntu"
SERVER Server FQDN or IP "192.168.0.22"
SERVER_NAME Server NetBIOS name "WIN2019"
SERVER_HOST Server FQDN "my-server.win2019.com"
SAM_USERNAME Machine account name (see netlogon_sec_channel.go) "COMPUTER$"
SAM_PASSWORD Machine account password "password"
SAM_WORKSTATION Machine account workstation "COMPUTER"
TARGET Kerberos SPN "host/my-server.win2019.com"
KRB5_CONFIG Kerberos config path "/path/to/krb5.conf"

Tip: RedTeamPentesting/adauth integrates well with this library and provides a convenient way to handle Active Directory authentication (Kerberos, NTLM, pass-the-hash, PKINIT) from command-line tools.

Code Generation

Note: The IDL parser and code generator have moved to github.com/oiweiwei/midl-gen-go.

Run make all to regenerate all stubs, or make nrpc.go to regenerate a specific IDL.

To add a new IDL file, place it in idl/ (or idl/dcom/ for DCOM), then update the all target in the Makefile.

Features

DCE/RPC v5 Client (dcerpc package)

  • Transfer Syntax: NDR 2.0 and NDR64
  • Transports: Named Pipe (SMB2/3) and TCP
  • Connection multiplexing: multiple clients over a single connection
  • Multiple connections per association group, with shared context handles
  • Verification trailer support
  • Kerberos, Netlogon, NTLM, SPNEGO authentication
  • Endpoint mapper and string binding support
  • Basic DCOM support
  • Eventlog BinXML parser
  • WMIO object marshaler/unmarshaler

MS-RPCE Extensions

  • Security Context Multiplexing
  • Bind-time Feature Negotiation
  • Header Signing
  • NDR64

GSS-API / SSP (ssp package)

GSS-API interface definitions live in ssp/gssapi. The ssp package implements the following security providers:

  • Kerberos (via jcmturner/gokrb5 fork):
    • Encryption: RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC, AES128-CTS-HMAC-SHA1, AES256-CTS-HMAC-SHA1
    • DCE-style AP Request/Reply
    • Mutual and non-mutual authentication
    • Wrap/GetMic-Ex methods
  • NTLM: NTLMv1 and NTLMv2
  • Netlogon: RC4-HMAC and AES-SHA2
  • SPNEGO: MechListMIC and NegTokenInit2

SMB2 Client

Based on the hirochachacha/go-smb2 fork, with the following additions:

  • Force-encryption support
  • Kerberos/NTLM integration via ssp/gssapi
  • Fix for NT_STATUS_PENDING
  • Keying material export (Application Key, Session Key)

Generated Stubs

RPC Protocols

Spec Description Package
MS-ADTS Active Directory Technical Specification: Claims msrpc/adts
MS-BKRP BackupKey Remote Protocol msrpc/bkrp
MS-BPAU BITS Peer-Caching: Peer Authentication Protocol msrpc/bpau
MS-BRWSA CIFS Browser Auxiliary Protocol msrpc/brwsa
MS-CAPR Central Access Policy ID Retrieval Protocol msrpc/capr
MS-CMPO MSDTC Connection Manager: OleTx Transports Protocol msrpc/cmpo
MS-CMRP Failover Cluster: Management API (ClusAPI) Protocol msrpc/cmrp
MS-DFSNM DFS Namespace Management Protocol msrpc/dfsnm
MS-DHCPM DHCP Server Management Protocol msrpc/dhcpm
MS-DLTM Distributed Link Tracking: Central Manager Protocol msrpc/dltm
MS-DLTW Distributed Link Tracking: Workstation Protocol msrpc/dltw
MS-DNSP DNS Server Management Protocol msrpc/dnsp
MS-DRSR Directory Replication Service (DRS) Remote Protocol msrpc/drsr
MS-DSSP Directory Services Setup Remote Protocol msrpc/dssp
MS-DTYP Windows Data Types msrpc/dtyp
MS-EERR ExtendedError Remote Data Structure msrpc/eerr
MS-EFSR Encrypting File System Remote (EFSRPC) Protocol msrpc/efsr
MS-ERREF Windows Error Codes msrpc/erref
MS-EVEN6-BINXML EventLog BinXML encoding msrpc/binxml
MS-EVEN6 EventLog Remoting Protocol Version 6.0 msrpc/even6
MS-EVEN EventLog Remoting Protocol msrpc/even
MS-FASP Firewall and Advanced Security Protocol msrpc/fasp
MS-FAX Fax Server and Client Remote Protocol msrpc/fax
MS-FRS1 File Replication Service (FRS) Remote Protocol msrpc/frs1
MS-FSR2 File Replication Service (FRS) Remote Protocol Version 2 msrpc/frs2
MS-ICPR ICertPassage Remote Protocol msrpc/icpr
MS-IRP IIS Inetinfo Remote Protocol msrpc/irp
MS-LREC Live Remote Event Capture (LREC) Protocol msrpc/lrec
MS-LSAD Local Security Authority (Domain Policy) Remote Protocol msrpc/lsad
MS-LSAT Local Security Authority (Translation Methods) Remote Protocol msrpc/lsat
MS-MQDS MSMQ: Directory Service Protocol msrpc/mqds
MS-MQMP MSMQ: Queue Manager Client Protocol msrpc/mqmp
MS-MQMQ MSMQ: Data Structures msrpc/mqmq
MS-MQMR MSMQ: Queue Manager Management Protocol msrpc/mqmr
MS-MQQP MSMQ: Queue Manager to Queue Manager Protocol msrpc/mqqp
MS-MQRR MSMQ: Queue Manager Remote Read Protocol msrpc/mqrr
MS-MSRP Messenger Service Remote Protocol msrpc/msrp
MS-NEGOEX SPNEGO Extended Negotiation (NEGOEX) Security Mechanism msrpc/negoex
MS-NRPC-SECCHANNEL Netlogon Secure Channel msrpc/nrpc
MS-NRPC Netlogon Remote Protocol msrpc/nrpc
MS-NSPI Name Service Provider Interface (NSPI) Protocol msrpc/nspi
MS-OXABREF Address Book NSPI Referral Protocol -
MS-OXCRPC Wire Format Protocol msrpc/oxcrpc
MS-OXNSPI Exchange NSPI Protocol msrpc/nspi
MS-PAC Privilege Attribute Certificate Data Structure msrpc/pac
MS-PAN Print System Asynchronous Notification Protocol msrpc/pan
MS-PAR Print System Asynchronous Remote Protocol msrpc/par
MS-PCQ Performance Counter Query Protocol msrpc/pcq
MS-RAA Remote Authorization API Protocol msrpc/raa
MS-RAIW Remote Administrative Interface: WINS msrpc/raiw
MS-RPCE-EPM / C706-EPM Endpoint Mapper msrpc/epm
MS-RPCL RPC Location Services Extensions msrpc/rpcl
MS-RPRN Print System Remote Protocol msrpc/rprn
MS-RRP Windows Remote Registry Protocol msrpc/rrp
MS-RSP Remote Shutdown Protocol msrpc/rsp
MS-SAMR Security Account Manager (SAM) Remote Protocol msrpc/samr
MS-SCH Task Scheduler Service Remoting Protocol msrpc/sch
MS-SCMR Service Control Manager Remote Protocol msrpc/scmr
MS-SRVS Server Service Remote Protocol msrpc/srvs
MS-SSP Single Sign-On Protocol msrpc/ssp
MS-SWN Service Witness Protocol msrpc/swn
MS-TRP Telephony Remote Protocol msrpc/trp
MS-TSCH Task Scheduler Service Remoting Protocol msrpc/tsch
MS-TSGU Terminal Services Gateway Server Protocol msrpc/tsgu
MS-TSTS Terminal Services Runtime Interface Protocol msrpc/tsts
MS-W32T W32Time Remote Protocol msrpc/w32t
MS-WDSC Windows Deployment Services Control Protocol msrpc/wdsc
MS-WKST Workstation Service Remote Protocol msrpc/wkst

DCOM Protocols

Spec Description Package
MC-CCFG Server Cluster: Configuration (ClusCfg) Protocol msrpc/dcom/ccfg
MC-IISA IIS Application Host COM Protocol msrpc/dcom/iisa
MC-MQAC MSMQ: ActiveX Client Protocol msrpc/dcom/mqac
MS-ADTG Remote Data Services (RDS) Transport Protocol msrpc/dcom/adtg
MS-COMA COM+ Remote Administration Protocol msrpc/dcom/coma
MS-COMEV COM+ Event System Protocol msrpc/dcom/comev
MS-COMT COM+ Tracker Service Protocol msrpc/dcom/comt
MS-COM Component Object Model Plus (COM+) Protocol msrpc/dcom/com
MS-CSRA Certificate Services Remote Administration Protocol msrpc/dcom/csra
MS-CSVP Failover Cluster: Setup and Validation Protocol (ClusPrep) msrpc/dcom/csvp
MS-DCOM Distributed Component Object Model (DCOM) Remote Protocol msrpc/dcom
MS-DFSRH DFS Replication Helper Protocol msrpc/dcom/dfsrh
MS-DMRP Disk Management Remote Protocol msrpc/dcom/dmrp
MS-FSRM File Server Resource Manager Protocol msrpc/dcom/fsrm
MS-IISS IIS ServiceControl Protocol msrpc/dcom/iiss
MS-IMSA IIS IMSAdminBaseW Remote Protocol msrpc/dcom/imsa
MS-IOI IManagedObject Interface Protocol msrpc/dcom/ioi
MS-OAUT OLE Automation Protocol msrpc/dcom/oaut
MS-OCSPA Microsoft OCSP Administration Protocol msrpc/dcom/ocspa
MS-PLA Performance Logs and Alerts Protocol msrpc/dcom/pla
MS-RAI Remote Assistance Initiation Protocol msrpc/dcom/rai
MS-RDPESC RDP: Smart Card Virtual Channel Extension msrpc/dcom/rdpesc
MS-RRASM RRAS Management Protocol msrpc/dcom/rrasm
MS-RSMP Removable Storage Manager (RSM) Remote Protocol msrpc/dcom/rsmp
MS-SCMP Shadow Copy Management Protocol msrpc/dcom/scmp
MS-TPMVSC TPM Virtual Smart Card Remote Protocol msrpc/dcom/tpmvsc
MS-UAMG Update Agent Management Protocol msrpc/dcom/uamg
MS-VDS Virtual Disk Service (VDS) Protocol msrpc/dcom/vds
MS-WCCE Windows Client Certificate Enrollment Protocol msrpc/dcom/wcce
MS-WMIO WMI Encoding Version 1.0 Protocol msrpc/dcom/wmio
MS-WMI Windows Management Instrumentation Remote Protocol msrpc/dcom/wmi
MS-WSRM Windows System Resource Manager (WSRM) Protocol msrpc/dcom/wsrm

Other

Spec Description Package
MIMICOM Mimikatz COM Interface msrpc/mimicom

Documentation

Generated code includes documentation pulled from the MSDN portal. Accuracy may vary due to inconsistencies in the upstream HTML source.

Open Questions

  • Why does IObjectExporter not support NDR64?
  • Why does the server return indistinguishable pointers for NDR64?
  • Why does SMB2 not support certain auth levels (e.g. Winreg supports only Insecure and Privacy)?

References

Contributing

Open an issue before submitting a PR. The project is still maturing and there are likely undiscovered bugs.

About

Go client library for Windows MS-RPC and DCOM: DCE/RPC v5, NDR/NDR64, Kerberos/NTLM/SPNEGO, SMB2, and generated stubs for 100+ Windows protocols

Topics

linux golang wmi ntlm kerberos ndr winreg impacket eventlog mof dcom midl msrpc dcerpc netlogon binxml

Resources

Readme

License

MIT license
Activity

Stars

153 stars

Watchers

6 watching

Forks

24 forks
Report repository

Releases 34

v1.3.0 Latest
Apr 20, 2026
+ 33 releases

Packages

 
 
 

Contributors

Languages