hacktricks/network-services-pentesting/pentesting-rpcbind.md

111/TCP/UDP - Pentesting Portmapper

htARTE (HackTricks AWS Red Team Expert) !HackTricks AWS Red Team Expert!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Portmapper jup portmappervetlh vItlhutlh RPC (Remote Procedure Call) program numbers vItlhutlh network service ports mapping. vItlhutlh Unix-based systems, Portmapper vItlhutlh component vItlhutlh, vItlhutlh exchange of information vItlhutlh vItlhutlh systems. Portmapper port vItlhutlh vItlhutlh, vItlhutlh valuable information vItlhutlh attackers vItlhutlh scanned. vItlhutlh information vItlhutlh Unix Operating System (OS) running vItlhutlh, vItlhutlh services vItlhutlh available vItlhutlh system. Additionally, Portmapper commonly used conjunction NFS (Network File System), NIS (Network Information Service), vItlhutlh RPC-based services vItlhutlh manage network services effectively.

Default port: 111/TCP/UDP, 32771 in Oracle Solaris

PORT    STATE SERVICE
111/tcp open  rpcbind

QaD lo'wI'vam

Port 111 - RPCbind

RPCbind is a service that maps RPC (Remote Procedure Call) program numbers to network addresses. It is commonly used in Unix-like operating systems to manage RPC services.

Enumerating RPCbind

To enumerate RPCbind, you can use the rpcinfo command. This command allows you to query the RPCbind service for information about registered RPC programs.

To list all the registered RPC programs, you can run the following command:

rpcinfo -p <target_ip>

Replace <target_ip> with the IP address of the target machine.

The output will display the program number, version number, transport protocol, and program name for each registered RPC program.

Exploiting RPCbind

RPCbind can be exploited in various ways, such as:

• Port scanning: RPCbind can be used to identify open ports on a target machine. By querying RPCbind on different ports, you can determine which ports are open and potentially vulnerable.

• Denial of Service (DoS): RPCbind can be targeted with a DoS attack by flooding it with a large number of requests. This can overwhelm the service and cause it to become unresponsive.

• Information disclosure: RPCbind can sometimes leak sensitive information, such as the names of registered RPC programs or the IP addresses of the machines running those programs. This information can be useful for further exploitation.

Mitigating RPCbind vulnerabilities

To mitigate vulnerabilities associated with RPCbind, you can take the following steps:

• Disable unnecessary RPC services: If you are not using RPC services, it is recommended to disable them to reduce the attack surface.

• Filter RPC traffic: Use firewalls or network access control lists (ACLs) to restrict RPC traffic to trusted sources only.

• Keep RPCbind up to date: Regularly update RPCbind to ensure that any known vulnerabilities are patched.

• Monitor RPCbind activity: Monitor RPCbind logs for any suspicious activity or unauthorized access attempts.

Conclusion

RPCbind is a commonly used service in Unix-like operating systems. By enumerating and understanding its vulnerabilities, you can better secure your systems and protect against potential attacks.

rpcinfo irked.htb
nmap -sSUC -p111 192.168.10.1

Chay' vay' Duj, vay' vItlhutlh:

Shodan

• port:111 portmap

RPCBind + NFS

vaj vItlhutlh NFS qutlh:

2049 - Pentesting NFS qutlh 2049 - Pentesting NFS service vItlhutlh.

NIS

NIS vulnerabilities vItlhutlh, 'ej 'ej vItlhutlh ypbind qutlh. 'Iv 'oH NIS domain name, vaj vItlhutlh.

vItlhutlh journey vItlhutlh packages (apt-get install nis) vItlhutlh. vItlhutlh step 'ej ypwhich NIS server's presence vItlhutlh, domain name 'ej server IP, 'ej 'oH anonymized security.

vItlhutlh 'ej crucial step vItlhutlh ypcat command vItlhutlh, encrypted user passwords vItlhutlh. 'Iv, John the Ripper tools vItlhutlh, system access 'ej privileges vItlhutlh.

# Install NIS tools
apt-get install nis
# Ping the NIS server to confirm its presence
ypwhich -d <domain-name> <server-ip>
# Extract user credentials
ypcat –d <domain-name> –h <server-ip> passwd.byname

NIF files

Master file	Map(s)	Notes
/etc/hosts	hosts.byname, hosts.byaddr	Contains hostnames and IP details
/etc/passwd	passwd.byname, passwd.byuid	NIS user password file
/etc/group	group.byname, group.bygid	NIS group file
/usr/lib/aliases	mail.aliases	Details mail aliases

RPC Users

If you find the rusersd service listed like this:

You could enumerate users of the box. To learn how read 1026 - Pentesting Rsusersd.

Bypass Filtered Portmapper port

When conducting a nmap scan and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by simulating a portmapper service locally and creating a tunnel from your machine to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at this link.

Shodan

• Portmap

Labs to practice

• Practice these techniques in the Irked HTB machine.

HackTricks Automatic Commands

Protocol_Name: Portmapper    #Protocol Abbreviation if there is one.
Port_Number:  43     #Comma separated if there is more than one.
Protocol_Description: PM or RPCBind        #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for PortMapper
Note: |
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.

https://book.hacktricks.xyz/pentesting/pentesting-rpcbind

Entry_2:
Name: rpc info
Description: May give netstat-type info
Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43

Entry_3:
Name: nmap
Description: May give netstat-type info
Command: nmap -sSUC -p 111 {IP}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.