111 - Rpcbind
💡 学习提示: 本文档介绍 Rpcbind 的渗透测试方法,适合信息安全初学者和从业人员参考。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
111/TCP/UDP - 渗透测试 Portmapper
基本信息
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (网络 File System), NIS (网络 Information 服务), and other RPC-based services to manage network services effectively.
默认 port: 111/TCP/UDP, 32771 in Oracle Solaris
信息收集
Sometimes it doesn’t give you any information, in other occasions you will get something like this:
Advanced rpcinfo usage
Leverage rpcinfo -T udp -p <target> to pull the UDP program list even when TCP/111 is filtered, then immediately run showmount -e <target> to spot world-readable NFS exports registered through rpcbind.
Exhaustive mapping with Nmap NSE
Pair the classic scan with nmap --script=rpcinfo,rpc-grind -p111 <target> to brute-force RPC program numbers. rpc-grind hammers the portmapper with null calls that walk the nmap-rpc database, extracting supported versions whenever the remote daemon replies with “can’t support version,” which often reveals quietly registered services such as rusersd, rquotad or custom daemons. Multi-threading via --script-args 'rpc-grind.threads=8' speeds up large targets while the companion rpcinfo script prints human-readable tables you can diff against host baselines.