111/TCP/UDP - Pentesting Portmapper

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

Portmapper ni huduma inayotumika kwa ajili ya kuunganisha bandari za huduma za mtandao na nambari za programu za RPC (Remote Procedure Call). Inafanya kazi kama sehemu muhimu katika sistimu za Unix, ikirahisisha ubadilishanaji wa taarifa kati ya hizi sistimu. Bandari inayohusishwa na Portmapper mara nyingi inachunguzwa na washambuliaji kwani inaweza kufichua taarifa muhimu. Taarifa hizi zinajumuisha aina ya Unix Operating System (OS) inayotumika na maelezo kuhusu huduma zinazopatikana kwenye mfumo. Zaidi ya hayo, Portmapper mara nyingi hutumika pamoja na NFS (Network File System), NIS (Network Information Service), na huduma nyingine za RPC ili kusimamia huduma za mtandao kwa ufanisi.

Bandari ya kawaida: 111/TCP/UDP, 32771 katika Oracle Solaris

PORT STATE SERVICE 111/tcp open rpcbind

Uainishaji

rpcinfo irked.htb nmap -sSUC -p111 192.168.10.1

Wakati mwingine haitoi taarifa yoyote, katika matukio mengine utapata kitu kama hiki:

Shodan

  • port:111 portmap

RPCBind + NFS

Ikiwa unapata huduma ya NFS basi huenda utaweza kuorodhesha na kupakua (na labda kupakia) faili:

Soma 2049 - Pentesting NFS service kujifunza zaidi kuhusu jinsi ya kujaribu protokali hii.

NIS

Kuchunguza NIS udhaifu kunahusisha mchakato wa hatua mbili, ukianza na utambuzi wa huduma ypbind. Jiwe la msingi la uchunguzi huu ni kufichua jina la eneo la NIS, bila ambalo maendeleo yanakoma.

Safari ya uchunguzi inaanza kwa usakinishaji wa pakiti muhimu (apt-get install nis). Hatua inayofuata inahitaji kutumia ypwhich kuthibitisha uwepo wa seva ya NIS kwa kuipiga ping kwa jina la eneo na IP ya seva, kuhakikisha vipengele hivi vimefichwa kwa usalama.

Hatua ya mwisho na muhimu inahusisha amri ypcat kutoa data nyeti, hasa nywila za watumiaji zilizofichwa. Hash hizi, zikivunjwa kwa kutumia zana kama John the Ripper, zinafunua maarifa kuhusu ufikiaji wa mfumo na mamlaka.

bash
# Install NIS tools apt-get install nis # Ping the NIS server to confirm its presence ypwhich -d <domain-name> <server-ip> # Extract user credentials ypcat –d <domain-name> –h <server-ip> passwd.byname

NIF files

Master fileMap(s)Notes
/etc/hostshosts.byname, hosts.byaddrInajumuisha majina ya mwenyeji na maelezo ya IP
/etc/passwdpasswd.byname, passwd.byuidFaili ya nywila ya mtumiaji wa NIS
/etc/groupgroup.byname, group.bygidFaili ya kundi la NIS
/usr/lib/aliasesmail.aliasesMaelezo ya majina ya barua pepe

RPC Users

If you find the rusersd service listed like this:

You could enumerate users of the box. To learn how read 1026 - Pentesting Rsusersd.

Bypass Filtered Portmapper port

When conducting a nmap scan and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by simulating a portmapper service locally and creating a tunnel from your machine to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at this link.

Shodan

  • Portmap

Labs to practice

HackTricks Automatic Commands

Protocol_Name: Portmapper #Protocol Abbreviation if there is one. Port_Number: 43 #Comma separated if there is more than one. Protocol_Description: PM or RPCBind #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for PortMapper Note: | Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively. https://book.hacktricks.xyz/pentesting/pentesting-rpcbind Entry_2: Name: rpc info Description: May give netstat-type info Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43 Entry_3: Name: nmap Description: May give netstat-type info Command: nmap -sSUC -p 111 {IP}

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks