111/TCP/UDP - Pentesting Portmapper
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Portmapper ni huduma inayotumika kwa ajili ya kuunganisha bandari za huduma za mtandao na RPC (Remote Procedure Call) nambari za programu. Inafanya kazi kama sehemu muhimu katika sistimu za Unix, ikirahisisha ubadilishanaji wa taarifa kati ya hizi sistimu. Bandari inayohusishwa na Portmapper mara nyingi inachunguzwa na washambuliaji kwani inaweza kufichua taarifa muhimu. Taarifa hizi zinajumuisha aina ya Unix Operating System (OS) inayotumika na maelezo kuhusu huduma zinazopatikana kwenye mfumo. Zaidi ya hayo, Portmapper hutumiwa mara nyingi pamoja na NFS (Network File System), NIS (Network Information Service), na huduma nyingine za RPC ili kusimamia huduma za mtandao kwa ufanisi.
Bandari ya kawaida: 111/TCP/UDP, 32771 katika Oracle Solaris
Sometimes it doesn't give you any information, in other occasions you will get something like this:
port:111 portmap
If you find the service NFS then probably you will be able to list and download(and maybe upload) files:
Read 2049 - Pentesting NFS service to learn more about how to test this protocol.
Exploring NIS vulnerabilities involves a two-step process, starting with the identification of the service ypbind. The cornerstone of this exploration is uncovering the NIS domain name, without which progress is halted.
The exploration journey begins with the installation of necessary packages (apt-get install nis). The subsequent step requires using ypwhich to confirm the NIS server's presence by pinging it with the domain name and server IP, ensuring these elements are anonymized for security.
The final and crucial step involves the ypcat command to extract sensitive data, particularly encrypted user passwords. These hashes, once cracked using tools like John the Ripper, reveal insights into system access and privileges.
Master file | Map(s) | Notes |
/etc/hosts | hosts.byname, hosts.byaddr | Inajumuisha majina ya mwenyeji na maelezo ya IP |
/etc/passwd | passwd.byname, passwd.byuid | Faili ya nywila ya mtumiaji wa NIS |
/etc/group | group.byname, group.bygid | Faili ya kundi la NIS |
/usr/lib/aliases | mail.aliases | Maelezo ya majina ya barua pepe |
If you find the rusersd service listed like this:
You could enumerate users of the box. To learn how read 1026 - Pentesting Rsusersd.
When conducting a nmap scan and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by simulating a portmapper service locally and creating a tunnel from your machine to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at this link.
Portmap
Practice these techniques in the Irked HTB machine.
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
