5.9 RPC rusers

The Unix rusers service is a Remote Procedure Call (RPC) service that listens on a dynamic TCP port. The rusers client utility first connects to the RPC portmapper on TCP port 111, which returns the whereabouts of the rusersd service if it is active.

During initial TCP port scans, if the RPC portmapper service isn't found to be accessible, it is highly unlikely that rusersd will be accessible. If, however, TCP or UDP port 111 is found to be accessible, the rpcinfo client can check for the presence of rusersd and other accessible RPC services, as shown in Example 5-17.

Example 5-17. Enumerating RPC services with rpcinfo

# rpcinfo -p 192.168.0.50

program vers proto port  service 

100000   4    tcp  111   rpcbind 

100000   4    udp  111   rpcbind 

100024   1    udp  32772 status 

100024   1    tcp  32771 status 

100021   4    udp  4045  nlockmgr 

100021   2    tcp  4045  nlockmgr 

100005   1    udp  32781 mountd 

100005   1    tcp  32776 mountd 

100003   2    udp  2049  nfs 

100011   1    udp  32822 rquotad 

100002   2    udp  32823 rusersd 

100002   3    tcp  33180 rusersd

If rusersd is running, you can probe the service with the rusers client (available on most Unix-based platforms) to retrieve a list of users logged into the system, as shown in Example 5-18.

Example 5-18. Gathering active user details through rusers

# rusers -l 192.168.0.50

Sending broadcast for rusersd protocol version 3...

Sending broadcast for rusersd protocol version 2...

james    onyx:console            Mar  3 13:03   22:03

amber    onyx:ttyp1              Mar  2 07:40

chris    onyx:ttyp5              Mar  2 10:35      14

al       onyx:ttyp6              Mar  2 10:48