A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111. The RPC portmapper (also known as rpcbind within Solaris) can be queried using the rpcinfo command found on most Unix-based platforms, as shown in Example 12-1. Example 12-1. Using rpcinfo to list accessible RPC service endpoints# rpcinfo -p 192.168.0.50 program vers proto port service 100000 4 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100024 1 udp 32772 status 100024 1 tcp 32771 status 100021 4 udp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100005 1 udp 32781 mountd 100005 1 tcp 32776 mountd 100003 2 udp 2049 nfs 100011 1 udp 32822 rquotad 100002 2 udp 32823 rusersd 100002 3 tcp 33180 rusersd In this example, you can find the following:
These services can be accessed and queried directly using client software; included also are showmount and mount (to access nfsd and mountd), and rusers (to access rusersd, covered in Chapter 5). 12.1.1 Identifying RPC Services Without the PortmapperIn networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack. You can run nmap with the -sR option to identify RPC services listening on high ports if the portmapper is inaccessible. Example 12-2 shows nmap in use against a Solaris 9 host behind a firewall filtering the portmapper and services below port 1024. Example 12-2. Using nmap to find RPC services running on high ports# nmap -sR 10.0.0.9 Starting nmap 3.45 ( http://www.insecure.org/nmap/) Interesting ports on 10.0.0.9: PORT STATE SERVICE VERSION 4045/tcp open nlockmgr (nlockmgr V1-4) 1-4 (rpc #100021) 6000/tcp open X11 6112/tcp open dtspc 7100/tcp open font-service 32771/tcp open ttdbserverd (ttdbserverd V1) 1 (rpc #100083) 32772/tcp open kcms_server (kcms_server V1) 1 (rpc #100221) 32773/tcp open metad (metad V1) 1 (rpc #100229) 32774/tcp open metamhd (metamhd V1) 1 (rpc #100230) 32775/tcp open rpc.metamedd (rpc.metamedd V1) 1 (rpc #100242) 32776/tcp open rusersd (rusersd V2-3) 2-3 (rpc #100002) 32777/tcp open status (status V1) 1 (rpc #100024) 32778/tcp open sometimes-rpc19 32779/tcp open sometimes-rpc21 32780/tcp open dmispd (dmispd V1) 1 (rpc #300598) |