Tag Archives: RPC

Bypass RPC Portmapper Filtering

Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP.

When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.

Continue reading: Bypass RPC Portmapper Filtering

Enumerating Unix Remote Procedure Call (RPC) Services

Several interesting unix daemons, such as Network Information Service+, Network File System, and Common Desktop Environment, run as RPC services on dynamically assigned high ports. Theportmapper service (aka rpcbind) runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port number.
The nmap documentation states that if portmapper is filtered, services can be identified directly using an nmap scan of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be called explicitly with -sR.
Attempting to connect to an RPC service when portmapper is filtered will result in an error similar to “RPC: Port mapper failure RPC: Unable to receive.” To work around this issue it is possible to create a local RPC portmapper and proxy the RPC endpoint connections through to the remote server

Continue reading: Enumerating Unix Remote Procedure Call (RPC) Services