DCERPC SrvSvc NetrRemoteTOD

One approach that can be taken to obtain very granular information about the current system time of a target machine is to use the SrvSvc's NetrRemoteTOD request. To transmit this request to a target machine a NULL session (or authenticated session) must be established using the standard Session Setup AndX SMB request. After that, a Tree Connect AndX to the IPC$ share should be issued. From there, an NT Create AndX request can be issued on the \srvsvc named pipe. Once the request is handled successfully the file descriptor returned can be used for the DCERPC bind request to the SrvSvc's UUID. Finally, once the bind request has completed successfully, a NetrRemoteTOD request can be transacted over the named pipe using a TransactNmPipe request. The response to this request should contain very granular information, such as day, hour, minute, second, timezone, as well as other fields that are needed to determine the target machine's system time. Figure shows a sample response.

This vector is very useful because it provides easy access to the complete state of a target machine's system time which in turn can be used to calculate the windows of time that a temporal address can be used during exploitation. The negatives to this approach is that it requires access to the SMB ports (either 139 or 445) which will most likely be inaccessible to an attacker.

Figure: Example NetrRemoteTOD response