12.1 Enumerating Unix RPC Services

Previous page
Table of content
Next page

A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111.

The RPC portmapper (also known as rpcbind within Solaris) can be queried using the rpcinfo command found on most Unix-based platforms, as shown in Example 12-1.

Example 12-1. Using rpcinfo to list accessible RPC service endpoints
# rpcinfo -p 192.168.0.50 program vers proto port  service 100000   4    tcp  111   rpcbind 100000   4    udp  111   rpcbind 100024   1    udp  32772 status 100024   1    tcp  32771 status 100021   4    udp  4045  nlockmgr 100021   2    tcp  4045  nlockmgr 100005   1    udp  32781 mountd 100005   1    tcp  32776 mountd 100003   2    udp  2049  nfs 100011   1    udp  32822 rquotad 100002   2    udp  32823 rusersd 100002   3    tcp  33180 rusersd

In this example, you can find the following:

  • status (rpc.statd) on TCP port 32771 and UDP port 32772

  • nlockmgr (rpc.lockd) on TCP and UDP port 4045

  • nfsd on UDP port 2049

  • rquotad on UDP port 32822

  • rusersd on TCP port 33180 and UDP port 32823

These services can be accessed and queried directly using client software; included also are showmount and mount (to access nfsd and mountd), and rusers (to access rusersd, covered in Chapter 5).

12.1.1 Identifying RPC Services Without the Portmapper

In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack.

You can run nmap with the -sR option to identify RPC services listening on high ports if the portmapper is inaccessible. Example 12-2 shows nmap in use against a Solaris 9 host behind a firewall filtering the portmapper and services below port 1024.

Example 12-2. Using nmap to find RPC services running on high ports
# nmap -sR 10.0.0.9 Starting nmap 3.45 ( http://www.insecure.org/nmap/) Interesting ports on 10.0.0.9: PORT      STATE SERVICE                        VERSION 4045/tcp  open  nlockmgr (nlockmgr V1-4)       1-4 (rpc #100021) 6000/tcp  open  X11 6112/tcp  open  dtspc 7100/tcp  open  font-service 32771/tcp open  ttdbserverd (ttdbserverd V1)   1 (rpc #100083) 32772/tcp open  kcms_server (kcms_server V1)   1 (rpc #100221) 32773/tcp open  metad (metad V1)               1 (rpc #100229) 32774/tcp open  metamhd (metamhd V1)           1 (rpc #100230) 32775/tcp open  rpc.metamedd (rpc.metamedd V1) 1 (rpc #100242) 32776/tcp open  rusersd (rusersd V2-3)         2-3 (rpc #100002) 32777/tcp open  status (status V1)             1 (rpc #100024) 32778/tcp open  sometimes-rpc19 32779/tcp open  sometimes-rpc21 32780/tcp open  dmispd (dmispd V1)             1 (rpc #300598)

Previous page
Table of content
Next page
Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Certified Ethical Hacker Exam Prep
Lotus Notes and Domino 6 Development (2nd Edition)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
C & Data Structures (Charles River Media Computer Engineering)
Introduction to 80x86 Assembly Language and Computer Architecture
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy