Rpcinfo

Previous page
Table of content
Next page

  < Day Day Up > 


One of the more powerful (and dangerous) services that can be run on a Unix system is the RPC registration service. RPCs provide a subsystem for making interprocess communication easier and standardized. Someone who is writing an application to use RPCs uses special compiler tools and libraries to build the application and then distributes the client and server pieces appropriately. Anyone wanting to run the server side of the RPC program will need to be running either portmap or rpcbind (the two are synonymous—rpcbind is found on later versions of Solaris).

Portmap/rpcbind is a utility that listens on TCP and UDP port 111. Any programs that want to receive RPCs need to register with the portmapper. During registration, portmap records the name/number, version, description, and port on which the program is listening. This is an important distinction. All RPC applications still listen on their own ports; the server program either requests a specific port to which to bind or is given one by the kernel. Portmap simply tells client applications wanting to use the RPC service which port they need to contact. RPC services can still be contacted directly without consulting portmap. Some popular RPC services are NFS (Network File System) and NIS/YP (Network Information Service or Sun Yellow Pages).

Note 

Not all NFS implementations register with a portmapper. These NFS services usually use TCP and UDP port 2049 by default.

Rpcinfo is a program that talks to the portmapper on a system and retrieves a list of all the RPC services currently running, their names and descriptions, and the ports they are using. It’s a quick and easy way for a potential hacker to identify vulnerable RPC services.

Implementation

Here are the basics of what we can do with Rpcinfo:

rpcinfo -p hostname   This is the most basic usage of rpcinfo, listing all the RPC services that have registered with the portmapper.

rpcinfo -u hostname programid [version]   After obtaining the ID of the RPC program, version, and port number, we can use this command to make the RPC call and report on a response. Adding a -n portnumber option allows us to use a different port number than the one portmap has registered. The -u refers to UDP; we’d use -t if we wanted to use TCP instead. The version number of the program is optional.

rpcinfo -b programid version   This command will perform an RPC broadcast call, attempting to contact all machines on the local network and noting those that respond. We can use it to see whether any other machines on the network are running a vulnerable RPC service.

rpcinfo -d programid version   This command will “un-register” the programid/version with portmap. This command can be run only locally and only by the super user.

rpcinfo -m hostname   -m is similar to -p except it displays a table of statistics, such as the number of RPC requests the host has serviced. This option is not available on all platforms. Linux does not include this option but more recent versions of Solaris (Sun OS 5.6 and up) do. Check the man page.

Sample Output

The following is some output we retrieved with the command rpcinfo –p originix:

    program vers proto   port     100000    2   tcp    111  portmapper     100000    2   udp    111  portmapper     100011    1   udp    749  rquotad     100011    2   udp    749  rquotad     100005    1   udp    759  mountd     100005    1   tcp    761  mountd     100005    2   udp    764  mountd     100005    2   tcp    766  mountd     100005    3   udp    769  mountd     100005    3   tcp    771  mountd     100003    2   udp   2049  nfs     100003    3   udp   2049  nfs     300019    1   tcp    830  amd     300019    1   udp    831  amd     100024    1   udp    944  status     100024    1   tcp    946  status     100021    1   udp   1042  nlockmgr     100021    3   udp   1042  nlockmgr     100021    4   udp   1042  nlockmgr     100021    1   tcp   1629  nlockmgr     100021    3   tcp   1629  nlockmgr     100021    4   tcp   1629  nlockmgr

Here we can see that the host is at least running NFS, as nfs, nlockmgr, and mountd are all present. Now we can search the Internet to see whether we can find any NFS exploits to try on this host.

Problems with RPC

NFS and NIS have exploitable vulnerabilities, which can easily be discovered using the rpcinfo tool. The portmapper utility is inherently insecure, due to the fact that the only available authentication is host-based via TCP wrappers (that is, inetd) and can be forged pretty easily. On the other hand, Sun has stepped up the security of RPC a bit with Secure RPC, which uses a shared DES authentication key that must be known by both parties. However, in most cases, external networks shouldn’t be able to access the portmapper service. If they can, there’s no telling what information they’ll be able to gather—or worse, what havoc they’ll create. Either turn off the service or block it at the firewall so that no external untrusted parties can use it.


  < Day Day Up > 


Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Certified Ethical Hacker Exam Prep
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Introduction to 80x86 Assembly Language and Computer Architecture
GO! with Microsoft Office 2003 Brief (2nd Edition)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy