hacktricks/network-services-pentesting/pentesting-rpcbind.md

# 111/TCP/UDP - Pentesting Portmapper

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

## Basic Information

**Portmapper** je servis koji se koristi za mapiranje portova mrežnih servisa na **RPC** (Remote Procedure Call) brojeve programa. Deluje kao kritična komponenta u **Unix-baziranim sistemima**, olakšavajući razmenu informacija između ovih sistema. **Port** povezan sa **Portmapper**-om često skeniraju napadači jer može otkriti dragocene informacije. Ove informacije uključuju tip **Unix operativnog sistema (OS)** koji se koristi i detalje o servisima koji su dostupni na sistemu. Pored toga, **Portmapper** se obično koristi u kombinaciji sa **NFS (Network File System)**, **NIS (Network Information Service)** i drugim **RPC-baziranim servisima** za efikasno upravljanje mrežnim servisima.

**Podrazumevani port:** 111/TCP/UDP, 32771 u Oracle Solaris
```
PORT    STATE SERVICE
111/tcp open  rpcbind
```
## Enumeracija
```
rpcinfo irked.htb
nmap -sSUC -p111 192.168.10.1
```
Ponekad ne daje nikakve informacije, a u drugim prilikama dobićete nešto poput ovoga:

![](<../.gitbook/assets/image (553).png>)

### Shodan

* `port:111 portmap`

## RPCBind + NFS

Ako pronađete uslugu NFS, verovatno ćete moći da listate i preuzimate (i možda otpremate) fajlove:

![](<../.gitbook/assets/image (872).png>)

Pročitajte[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) da biste saznali više o tome kako testirati ovaj protokol.

## NIS

Istraživanje **NIS** ranjivosti uključuje dvostepeni proces, počinjući sa identifikacijom usluge `ypbind`. Temelj ove eksploracije je otkrivanje **NIS domena**, bez kojeg je napredak zaustavljen.

![](<../.gitbook/assets/image (859).png>)

Putovanje istraživanjem počinje instalacijom potrebnih paketa (`apt-get install nis`). Sledeći korak zahteva korišćenje `ypwhich` za potvrdu prisutnosti NIS servera pingovanjem sa imenom domena i IP adresom servera, osiguravajući da su ovi elementi anonimni radi bezbednosti.

Zadnji i ključni korak uključuje komandu `ypcat` za ekstrakciju osetljivih podataka, posebno enkriptovanih korisničkih lozinki. Ove heširane vrednosti, kada se razbiju koristeći alate poput **John the Ripper**, otkrivaju uvide u pristup sistemu i privilegije.
```bash
# Install NIS tools
apt-get install nis
# Ping the NIS server to confirm its presence
ypwhich -d <domain-name> <server-ip>
# Extract user credentials
ypcat –d <domain-name> –h <server-ip> passwd.byname
```
### NIF datoteke

| **Glavna datoteka** | **Mapa(e)**                | **Napomene**                     |
| ------------------- | -------------------------- | --------------------------------- |
| /etc/hosts          | hosts.byname, hosts.byaddr | Sadrži imena hostova i IP detalje |
| /etc/passwd         | passwd.byname, passwd.byuid| NIS datoteka sa korisničkim lozinkama |
| /etc/group          | group.byname, group.bygid  | NIS datoteka grupa               |
| /usr/lib/aliases    | mail.aliases               | Detalji o mail aliasima          |

## RPC Korisnici

Ako pronađete **rusersd** servis naveden ovako:

![](<../.gitbook/assets/image (1041).png>)

Možete enumerisati korisnike na mašini. Da biste saznali kako, pročitajte [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md).

## Zaobilaženje filtriranog Portmapper porta

Kada sprovodite **nmap skeniranje** i otkrijete otvorene NFS portove sa filtriranim portom 111, direktna eksploatacija ovih portova nije moguća. Međutim, simulacijom portmapper servisa lokalno i kreiranjem tunela sa vaše mašine ka cilju, eksploatacija postaje moguća korišćenjem standardnih alata. Ova tehnika omogućava zaobilaženje filtriranog stanja porta 111, čime se omogućava pristup NFS servisima. Za detaljna uputstva o ovoj metodi, pogledajte članak dostupan na [ovoj vezi](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc).

## Shodan

* `Portmap`

## Laboratorije za vežbanje

* Vežbajte ove tehnike na [**Irked HTB mašini**](https://app.hackthebox.com/machines/Irked).

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

## HackTricks Automatske Komande
```
Protocol_Name: Portmapper    #Protocol Abbreviation if there is one.
Port_Number:  43     #Comma separated if there is more than one.
Protocol_Description: PM or RPCBind        #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for PortMapper
Note: |
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.

https://book.hacktricks.xyz/pentesting/pentesting-rpcbind

Entry_2:
Name: rpc info
Description: May give netstat-type info
Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43

Entry_3:
Name: nmap
Description: May give netstat-type info
Command: nmap -sSUC -p 111 {IP}
```
{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}