Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

Enumerating Unix Remote Procedure Call (RPC) Services

Several interesting unix daemons, such as Network Information Service+, Network File System, and Common Desktop Environment, run as RPC services on dynamically assigned high ports. Theportmapper service (aka rpcbind) runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port number.
The nmap documentation states that if portmapper is filtered, services can be identified directly using an nmap scan of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be called explicitly with -sR.
Attempting to connect to an RPC service when portmapper is filtered will result in an error similar to “RPC: Port mapper failure RPC: Unable to receive.” To work around this issue it is possible to create a local RPC portmapper and proxy the RPC endpoint connections through to the remote server

Exploitation:
Query RPC portmapper using rpcinfo: rpcinfo p <host>
Using nmap to find RPC services: nmap sSU -A p 32771-34000 <host>
Interaction with the enumerated software can be achieved with the appropriate client software: showmount, mount, rusers, etc.

Additional Reading:
http://web.archive.org/web/20100423000427/http://www.milw0rm.com/papers/154
http://nmap.org/book/vscan-post-processors.html