Portmapper - Port 111/TCP/UDP

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

Basic info

Port 111 is associated with the RPCbind (Portmapper) service, a critical component in Unix-based systems that maps RPC (Remote Procedure Call) services to port numbers. It is often exploited by attackers to gather information about the target system, such as its operating system, RPC-based services (e.g., NFS, NIS), and even user details.

Default Port: 111/TCP/UDP

Other Ports: 32771 (in Oracle Solaris systems)

Associated Services: RPCbind, NFS, NIS, rusersd

Enumeration Techniques

Nmap

Start with an aggressive Nmap scan to gather initial information about the service:

nmap -sSUC -p 111 <Target>

NSE Scripts in Nmap

Leverage Nmap's built-in NSE scripts for RPC enumeration:

nmap -sV --script=nfs-ls,nfs-statfs,nfs-showmount -p 111,2049 <target-ip>

Rpcinfo

Use the rpcinfo tool to query the RPCbind service for additional details:

rpcinfo -p <target-ip>

Example output:

program vers proto   port
100000    2   tcp    111  portmapper
100005    1   udp    2049  mountd

The presence of services like mountd indicates NFS might be exploitable.

Metasploit for RPC Enumeration

Use Metasploit’s auxiliary modules for RPC enumeration:

use auxiliary/scanner/misc/rpcinfo
set RHOSTS <target-ip>
run

Metasploit automates the extraction of program and version information.

Exploitation Techniques

RPCBind + NFS

If NFS is discovered (commonly on port 2049), use the following tools for further exploitation:

Showmount Enumerate exported NFS shares:
```
showmount -e <target-ip>
```
Mount the Share Mount the NFS share locally:
```
mount -t nfs <target-ip>:/share /mnt
```
Explore Files After mounting, look for sensitive files such as SSH keys, credentials, or configurations.

NIS Enumeration

NIS requires identifying the domain name and server. Use these commands to enumerate:

apt-get install nis
ypwhich -d <domain-name> <server-ip>
# Extract sensitive data (e.g., user credentials)
ypcat -d <domain-name> -h <server-ip> passwd.byname

Output from ypcat can reveal hashed passwords. Crack them with tools like John the Ripper:

john --wordlist=<wordlist> <hash-file>

RPC Users

Identify and exploit rusersd to enumerate users:

rpcinfo -p <target-ip> | grep rusersd

Tools like rusers provide user enumeration:

rusers <target-ip>

Learn & practice For the OSCP.

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on Twitter @VeryLazyTech, Github @VeryLazyTech, and Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

PreviousPOP - Port 110/995 NextIdent - Port 113

Last updated 7 months ago

Was this helpful?