RPC & portmapper (111 TCP + other UDP)

RPC & portmapper (111 TCP + other UDP)

The portmapper service works like this - I would connect to the portmapper port and state that I want to use a specific RPC service - the portmapper would then reply and tell me which port to use. (RPC is for remote procedure call - it's like executing a function on a remote machine, and getting the output back). The reverse is also true - if I want to write a RPC service, I must register it with the portmapper, so that the client that wants the service knows on what port I am listening. So what is the bottom line?

I could save myself a lot of portscanning trouble and just ask the portmapper what services are running on which ports. Now obviously the portmapper service itself must be running. So I might be testing for machines that have port 111 open first. Assuming that I now have a machine with an open portmapper port the following is done:
> rpcinfo -p 210.xxx.96.151
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
100002 1 udp 1040 rusersd
100002 2 udp 1040 rusersd
100008 1 udp 1042 walld
100012 1 udp 1044 sprayd
150001 1 udp 1046 pcnfsd
- 61 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
150001 2 udp 1046 pcnfsd
100083 1 tcp 1026 ttdbserver
100068 2 udp 1048 cmsd
100068 3 udp 1048 cmsd
100068 4 udp 1048 cmsd
100068 5 udp 1048 cmsd
100003 2 udp 2049 nfs
100005 1 udp 785 mountd
100005 1 tcp 787 mountd
100024 1 udp 989 status
100024 1 tcp 991 status
100021 1 tcp 840 nlockmgr
100021 1 udp 842 nlockmgr
100021 3 tcp 845 nlockmgr
100021 3 udp 847 nlockmgr
100020 1 udp 850 llockmgr
100020 1 tcp 852 llockmgr
100021 2 tcp 855 nlockmgr
1342177279 3 tcp 1067
1342177279 1 tcp 1067
From this we can which RPC services the host is running. A very interesting service see running is NFS (network file system). Maybe the host is exporting some interesting NFS "shares"? Let us have a look:
> showmount -a 210.xxx.96.151
All mount points on 210.xxx.96.151:
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
We can see that this host is only export the shares to specific machines (in Taiwan) - not to the rest of the world - so it is pretty useless to even try to mount these "shares" on our host. Maybe I'll look for a host with some public shares, and then we'll look at mounting those. OK...here goes:
> showmount -e 128.xxx.135.52
Exports list on 128.xxx.135.52:
/install_2.6 Everyone
/export/install Everyone
/psrc rcd_hosts
/usr/share/opt rcd_hosts xxx.edu
/usr/share/opt2.5 rcd_hosts
/scratch7 rcd_hosts
/pucc rcd_hosts xxx.edu
/home/helios/u52 rcd_all
/home/helios/u51 rcd_all
# mount_nfs 128.xxx.135.52:/export/install /mnt
# cd /mnt
# ls

Let us move on to some of the other services. One of the other services that you would notice is "rusers". Rusers is the same as finger - there ain't that many tricks with rusers, but it would give you a list of users active on the host. It very useful when the finger service is not running, or when it is blocked, and you need some usernames.

> rusers -al 210.xxx.96.151
Damn - no users logged on. Let us see if we can't find a host somewhere on the 'net with users logged on:
# rusers -al 128.xxx.135.109
wgw xxx.edu:console Sep 19 16:11 :53 (:0)
(confirming:)

> finger @128.xxx.135.109
[128.xxx.135.109]
Login Name TTY Idle When Where
wgw William Wolber console 1:06 Tue 09:11 :0

Another RPC service that is quite cute is the rstatd server. This service gives some (kinda useless) information such as uptime and load:
> rup 210.xxx.96.151
210.xxx.96.151 1:17am up 4 days, 22:14, load average: 0.00 0.00 0.01
Should I wish to, I could write a message to all the users logged in on the host using the rwall command (now... I don't want to do that would I, but it would look like this):
>rwall 210.xxx.96.151
Greetings from South Africa!
^D
>

This command would write above message to the consoles of all users connected to the host. Using this command with loops has obvious annoying effects.
Another RPC service that is not mentioned here is the Yellow Pages system (YP). YP was quite popular at some stage in large corporations and universities, but its rare to see it today. For a very nice discussion on ways to get juicy information from YP the best document must be Dan Farmer's "Improving the Security of Your Site by Breaking Into it" - you can find it here (http://www.ussrback.com/docs/papers/unix/farmer.txt).
The more serious problems with RPC services are that some of them are exploitable. The "ttdbserver" and "cmsd" services have known problems that would allow an attacker to execute any command on the host. These exploits are very OS dependent, but also a very real...check your local exploit database for the goodies.