---
title: "111 - Rpcbind"
weight: 111
date: "2026-03-10T10:03:28+08:00"
lastmod: "2026-03-10T13:26:55+08:00"
---

💡 **学习提示**: 本文档介绍 **Rpcbind** 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

---

> ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

## 111/TCP/UDP - 渗透测试 Portmapper

### 基本信息

**Portmapper** is a service that is utilized for mapping network service ports to **RPC** (Remote Procedure Call) program numbers. It acts as a critical component in **Unix-based systems**, facilitating the exchange of information between these systems. The **port** associated with **Portmapper** is frequently scanned by attackers as it can reveal valuable information. This information includes the type of **Unix Operating System (OS)** running and details about the services that are available on the system. Additionally, **Portmapper** is commonly used in conjunction with **NFS (网络 File System)**, **NIS (网络 Information 服务)**, and other **RPC-based services** to manage network services effectively.

**默认 port:** 111/TCP/UDP, 32771 in Oracle Solaris

```
PORT    STATE SERVICE
111/tcp open  rpcbind
```

### 信息收集

```
rpcinfo irked.htb
nmap -sSUC -p111 192.168.10.1
```

Sometimes it doesn't give you any information, in other occasions you will get something like this:

![](<../images/image (553).png>)

#### Advanced `rpcinfo` usage

Leverage `rpcinfo -T udp -p <target>` to pull the UDP program list even when TCP/111 is filtered, then immediately run `showmount -e <target>` to spot world-readable NFS exports registered through rpcbind.

```bash
rpcinfo -T udp -p 10.10.10.10
showmount -e 10.10.10.10
```

#### Exhaustive mapping with Nmap NSE

Pair the classic scan with `nmap --script=rpcinfo,rpc-grind -p111 <target>` to brute-force RPC program numbers. `rpc-grind` hammers the portmapper with null calls that walk the `nmap-rpc` database, extracting supported versions whenever the remote daemon replies with "can't support version," which often reveals quietly registered services such as rusersd, rquotad or custom daemons. Multi-threading via `--script-args 'rpc-grind.threads=8'` speeds up large targets while the companion `rpcinfo` script prints human-readable tables you can diff against host baselines.

#### Shodan

```bash
# Shodan 搜索语法
port:111
```

#### ZoomEye

```bash
# ZoomEye 搜索语法
port:111
```

---

## 📖 参考资料

- [HackTricks - 111-rpcbind](https://book.hacktricks.wiki/en/network-services-pentesting/111-rpcbind.html)