Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-28 15:41:34 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-rpcbind.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

174 lines
9.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 111/TCP/UDP - Pentesting Portmapper
<details>
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Basic Information
**Portmapper** jup portmappervetlh vItlhutlh RPC (Remote Procedure Call) program numbers vItlhutlh network service ports mapping. vItlhutlh Unix-based systems, **Portmapper** vItlhutlh component vItlhutlh, vItlhutlh exchange of information vItlhutlh vItlhutlh systems. **Portmapper** port vItlhutlh vItlhutlh, vItlhutlh valuable information vItlhutlh attackers vItlhutlh scanned. vItlhutlh information vItlhutlh Unix Operating System (OS) running vItlhutlh, vItlhutlh services vItlhutlh available vItlhutlh system. Additionally, **Portmapper** commonly used conjunction NFS (Network File System), NIS (Network Information Service), vItlhutlh RPC-based services vItlhutlh manage network services effectively.
**Default port:** 111/TCP/UDP, 32771 in Oracle Solaris
```
PORT STATE SERVICE
111/tcp open rpcbind
```
## QaD lo'wI'vam
### Port 111 - RPCbind
RPCbind is a service that maps RPC (Remote Procedure Call) program numbers to network addresses. It is commonly used in Unix-like operating systems to manage RPC services.
#### Enumerating RPCbind
To enumerate RPCbind, you can use the `rpcinfo` command. This command allows you to query the RPCbind service for information about registered RPC programs.
To list all the registered RPC programs, you can run the following command:
```
rpcinfo -p <target_ip>
```
Replace `<target_ip>` with the IP address of the target machine.
The output will display the program number, version number, transport protocol, and program name for each registered RPC program.
#### Exploiting RPCbind
RPCbind can be exploited in various ways, such as:
- **Port scanning**: RPCbind can be used to identify open ports on a target machine. By querying RPCbind on different ports, you can determine which ports are open and potentially vulnerable.
- **Denial of Service (DoS)**: RPCbind can be targeted with a DoS attack by flooding it with a large number of requests. This can overwhelm the service and cause it to become unresponsive.
- **Information disclosure**: RPCbind can sometimes leak sensitive information, such as the names of registered RPC programs or the IP addresses of the machines running those programs. This information can be useful for further exploitation.
#### Mitigating RPCbind vulnerabilities
To mitigate vulnerabilities associated with RPCbind, you can take the following steps:
- **Disable unnecessary RPC services**: If you are not using RPC services, it is recommended to disable them to reduce the attack surface.
- **Filter RPC traffic**: Use firewalls or network access control lists (ACLs) to restrict RPC traffic to trusted sources only.
- **Keep RPCbind up to date**: Regularly update RPCbind to ensure that any known vulnerabilities are patched.
- **Monitor RPCbind activity**: Monitor RPCbind logs for any suspicious activity or unauthorized access attempts.
#### Conclusion
RPCbind is a commonly used service in Unix-like operating systems. By enumerating and understanding its vulnerabilities, you can better secure your systems and protect against potential attacks.
```
rpcinfo irked.htb
nmap -sSUC -p111 192.168.10.1
```
Chay' vay' Duj, vay' vItlhutlh:
![](<../.gitbook/assets/image (230).png>)
### Shodan
* `port:111 portmap`
## RPCBind + NFS
vaj vItlhutlh NFS qutlh:
![](<../.gitbook/assets/image (232).png>)
2049 - Pentesting NFS qutlh [2049 - Pentesting NFS service](nfs-service-pentesting.md) vItlhutlh.
## NIS
**NIS** vulnerabilities vItlhutlh, 'ej 'ej vItlhutlh `ypbind` qutlh. 'Iv 'oH NIS domain name, vaj vItlhutlh.
![](<../.gitbook/assets/image (233).png>)
vItlhutlh journey vItlhutlh packages (`apt-get install nis`) vItlhutlh. vItlhutlh step 'ej `ypwhich` NIS server's presence vItlhutlh, domain name 'ej server IP, 'ej 'oH anonymized security.
vItlhutlh 'ej crucial step vItlhutlh `ypcat` command vItlhutlh, encrypted user passwords vItlhutlh. 'Iv, **John the Ripper** tools vItlhutlh, system access 'ej privileges vItlhutlh.
```bash
# Install NIS tools
apt-get install nis
# Ping the NIS server to confirm its presence
ypwhich -d <domain-name> <server-ip>
# Extract user credentials
ypcat d <domain-name> h <server-ip> passwd.byname
```
### NIF files
| **Master file** | **Map(s)** | **Notes** |
| ---------------- | --------------------------- | --------------------------------- |
| /etc/hosts | hosts.byname, hosts.byaddr | Contains hostnames and IP details |
| /etc/passwd | passwd.byname, passwd.byuid | NIS user password file |
| /etc/group | group.byname, group.bygid | NIS group file |
| /usr/lib/aliases | mail.aliases | Details mail aliases |
## RPC Users
If you find the **rusersd** service listed like this:
![](<../.gitbook/assets/image (231).png>)
You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md).
## Bypass Filtered Portmapper port
When conducting a **nmap scan** and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by **simulating a portmapper service locally and creating a tunnel from your machine** to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at [this link](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc).
## Shodan
* `Portmap`
## Labs to practice
* Practice these techniques in the [**Irked HTB machine**](https://app.hackthebox.com/machines/Irked).
## HackTricks Automatic Commands
```
Protocol_Name: Portmapper #Protocol Abbreviation if there is one.
Port_Number: 43 #Comma separated if there is more than one.
Protocol_Description: PM or RPCBind #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for PortMapper
Note: |
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.
https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
Entry_2:
Name: rpc info
Description: May give netstat-type info
Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43
Entry_3:
Name: nmap
Description: May give netstat-type info
Command: nmap -sSUC -p 111 {IP}
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue View git blame Copy permalink