# Portmapper - Port 111/TCP/UDP
Support VeryLazyTech π
* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! π**
* **Follow** us on:
* **β Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **πΎ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **π Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. π
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. β**
## Basic info
Port 111 is associated with the RPCbind (Portmapper) service, a critical component in Unix-based systems that maps RPC (Remote Procedure Call) services to port numbers. It is often exploited by attackers to gather information about the target system, such as its operating system, RPC-based services (e.g., NFS, NIS), and even user details.
**Default Port**: 111/TCP/UDP
**Other Ports**: 32771 (in Oracle Solaris systems)
**Associated Services**: RPCbind, NFS, NIS, rusersd
***
## **Enumeration Techniques**
### **Nmap**
Start with an aggressive Nmap scan to gather initial information about the service:
```bash
nmap -sSUC -p 111
```
### **NSE Scripts in Nmap**
Leverage Nmap's built-in NSE scripts for RPC enumeration:
```bash
nmap -sV --script=nfs-ls,nfs-statfs,nfs-showmount -p 111,2049
```
### **Rpcinfo**
Use the `rpcinfo` tool to query the RPCbind service for additional details:
```bash
rpcinfo -p
```
Example output:
```markdown
program vers proto port
100000 2 tcp 111 portmapper
100005 1 udp 2049 mountd
```
The presence of services like `mountd` indicates NFS might be exploitable.
### **Metasploit for RPC Enumeration**
Use Metasploitβs auxiliary modules for RPC enumeration:
```
use auxiliary/scanner/misc/rpcinfo
set RHOSTS
run
```
Metasploit automates the extraction of program and version information.
***
## **Exploitation Techniques**
#### **RPCBind + NFS**
If NFS is discovered (commonly on port 2049), use the following tools for further exploitation:
1. **Showmount**\
Enumerate exported NFS shares:
```bash
showmount -e
```
2. **Mount the Share**\
Mount the NFS share locally:
```bash
mount -t nfs :/share /mnt
```
3. **Explore Files**\
After mounting, look for sensitive files such as SSH keys, credentials, or configurations.
***
## **NIS Enumeration**
NIS requires identifying the domain name and server. Use these commands to enumerate:
```bash
apt-get install nis
ypwhich -d
# Extract sensitive data (e.g., user credentials)
ypcat -d -h passwd.byname
```
Output from `ypcat` can reveal hashed passwords. Crack them with tools like **John the Ripper**:
```bash
john --wordlist=
```
***
## **RPC Users**
Identify and exploit rusersd to enumerate users:
```bash
rpcinfo -p | grep rusersd
```
Tools like `rusers` provide user enumeration:
```bash
rusers
```
***
{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://buymeacoffee.com/verylazytech/e/271180)
Support VeryLazyTech π
* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! π**
* **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. π
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. β**
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.verylazytech.com/network-pentesting/portmapper-port-111-tcp-udp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.