mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-20 01:55:46 +00:00
147 lines
7.7 KiB
Markdown
147 lines
7.7 KiB
Markdown
# 111/TCP/UDP - Pentesting Portmapper
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
||
|
||
{% embed url="https://websec.nl/" %}
|
||
|
||
## Basic Information
|
||
|
||
**Portmapper** is a service that is utilized for mapping network service ports to **RPC** (Remote Procedure Call) program numbers. It acts as a critical component in **Unix-based systems**, facilitating the exchange of information between these systems. The **port** associated with **Portmapper** is frequently scanned by attackers as it can reveal valuable information. This information includes the type of **Unix Operating System (OS)** running and details about the services that are available on the system. Additionally, **Portmapper** is commonly used in conjunction with **NFS (Network File System)**, **NIS (Network Information Service)**, and other **RPC-based services** to manage network services effectively.
|
||
|
||
**Default port:** 111/TCP/UDP, 32771 in Oracle Solaris
|
||
|
||
```
|
||
PORT STATE SERVICE
|
||
111/tcp open rpcbind
|
||
```
|
||
|
||
## Enumeration
|
||
|
||
```
|
||
rpcinfo irked.htb
|
||
nmap -sSUC -p111 192.168.10.1
|
||
```
|
||
|
||
Sometimes it doesn't give you any information, in other occasions you will get something like this:
|
||
|
||
![](<../.gitbook/assets/image (553).png>)
|
||
|
||
### Shodan
|
||
|
||
* `port:111 portmap`
|
||
|
||
## RPCBind + NFS
|
||
|
||
If you find the service NFS then probably you will be able to list and download(and maybe upload) files:
|
||
|
||
![](<../.gitbook/assets/image (872).png>)
|
||
|
||
Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
|
||
|
||
## NIS
|
||
|
||
Exploring **NIS** vulnerabilities involves a two-step process, starting with the identification of the service `ypbind`. The cornerstone of this exploration is uncovering the **NIS domain name**, without which progress is halted.
|
||
|
||
![](<../.gitbook/assets/image (859).png>)
|
||
|
||
The exploration journey begins with the installation of necessary packages (`apt-get install nis`). The subsequent step requires using `ypwhich` to confirm the NIS server's presence by pinging it with the domain name and server IP, ensuring these elements are anonymized for security.
|
||
|
||
The final and crucial step involves the `ypcat` command to extract sensitive data, particularly encrypted user passwords. These hashes, once cracked using tools like **John the Ripper**, reveal insights into system access and privileges.
|
||
|
||
```bash
|
||
# Install NIS tools
|
||
apt-get install nis
|
||
# Ping the NIS server to confirm its presence
|
||
ypwhich -d <domain-name> <server-ip>
|
||
# Extract user credentials
|
||
ypcat –d <domain-name> –h <server-ip> passwd.byname
|
||
```
|
||
|
||
### NIF files
|
||
|
||
| **Master file** | **Map(s)** | **Notes** |
|
||
| ---------------- | --------------------------- | --------------------------------- |
|
||
| /etc/hosts | hosts.byname, hosts.byaddr | Contains hostnames and IP details |
|
||
| /etc/passwd | passwd.byname, passwd.byuid | NIS user password file |
|
||
| /etc/group | group.byname, group.bygid | NIS group file |
|
||
| /usr/lib/aliases | mail.aliases | Details mail aliases |
|
||
|
||
## RPC Users
|
||
|
||
If you find the **rusersd** service listed like this:
|
||
|
||
![](<../.gitbook/assets/image (1041).png>)
|
||
|
||
You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md).
|
||
|
||
## Bypass Filtered Portmapper port
|
||
|
||
When conducting a **nmap scan** and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by **simulating a portmapper service locally and creating a tunnel from your machine** to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at [this link](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc).
|
||
|
||
## Shodan
|
||
|
||
* `Portmap`
|
||
|
||
## Labs to practice
|
||
|
||
* Practice these techniques in the [**Irked HTB machine**](https://app.hackthebox.com/machines/Irked).
|
||
|
||
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
||
|
||
{% embed url="https://websec.nl/" %}
|
||
|
||
## HackTricks Automatic Commands
|
||
|
||
```
|
||
Protocol_Name: Portmapper #Protocol Abbreviation if there is one.
|
||
Port_Number: 43 #Comma separated if there is more than one.
|
||
Protocol_Description: PM or RPCBind #Protocol Abbreviation Spelled out
|
||
|
||
Entry_1:
|
||
Name: Notes
|
||
Description: Notes for PortMapper
|
||
Note: |
|
||
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.
|
||
|
||
https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
|
||
|
||
Entry_2:
|
||
Name: rpc info
|
||
Description: May give netstat-type info
|
||
Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43
|
||
|
||
Entry_3:
|
||
Name: nmap
|
||
Description: May give netstat-type info
|
||
Command: nmap -sSUC -p 111 {IP}
|
||
```
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|