12.1 Enumerating Unix RPC Services

A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111.

The RPC portmapper (also known as rpcbind within Solaris) can be queried using the rpcinfo command found on most Unix-based platforms, as shown in Example 12-1.

Example 12-1. Using rpcinfo to list accessible RPC service endpoints
# rpcinfo -p

program vers proto port  service

100000   4    tcp  111   rpcbind

100000   4    udp  111   rpcbind

100024   1    udp  32772 status

100024   1    tcp  32771 status

100021   4    udp  4045  nlockmgr

100021   2    tcp  4045  nlockmgr

100005   1    udp  32781 mountd

100005   1    tcp  32776 mountd

100003   2    udp  2049  nfs

100011   1    udp  32822 rquotad

100002   2    udp  32823 rusersd

100002   3    tcp  33180 rusersd

In this example, you can find the following:

  • status (rpc.statd) on TCP port 32771 and UDP port 32772

  • nlockmgr (rpc.lockd) on TCP and UDP port 4045

  • nfsd on UDP port 2049

  • rquotad on UDP port 32822

  • rusersd on TCP port 33180 and UDP port 32823

These services can be accessed and queried directly using client software; included also are showmount and mount (to access nfsd and mountd), and rusers (to access rusersd, covered in Chapter 5).

12.1.1 Identifying RPC Services Without the Portmapper

In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack.

You can run nmap with the -sR option to identify RPC services listening on high ports if the portmapper is inaccessible. Example 12-2 shows nmap in use against a Solaris 9 host behind a firewall filtering the portmapper and services below port 1024.

Example 12-2. Using nmap to find RPC services running on high ports
# nmap -sR

Starting nmap 3.45 ( http://www.insecure.org/nmap/)

Interesting ports on

PORT      STATE SERVICE                        VERSION

4045/tcp  open  nlockmgr (nlockmgr V1-4)       1-4 (rpc #100021)

6000/tcp  open  X11

6112/tcp  open  dtspc

7100/tcp  open  font-service

32771/tcp open  ttdbserverd (ttdbserverd V1)   1 (rpc #100083)

32772/tcp open  kcms_server (kcms_server V1)   1 (rpc #100221)

32773/tcp open  metad (metad V1)               1 (rpc #100229)

32774/tcp open  metamhd (metamhd V1)           1 (rpc #100230)

32775/tcp open  rpc.metamedd (rpc.metamedd V1) 1 (rpc #100242)

32776/tcp open  rusersd (rusersd V2-3)         2-3 (rpc #100002)

32777/tcp open  status (status V1)             1 (rpc #100024)

32778/tcp open  sometimes-rpc19

32779/tcp open  sometimes-rpc21

32780/tcp open  dmispd (dmispd V1)             1 (rpc #300598)