OpenSkillIndex← back to search

Hacktricks-skills rpcbind-pentesting

How to enumerate and exploit RPCBind/Portmapper services (port 111) during network penetration testing. Use this skill whenever you're scanning a target and find port 111 open, or when you need to enumerate RPC services, NFS shares, or NIS domains. Trigger this skill for any RPC-related reconnaissance, NFS exploitation, NIS password extraction, or when port 111 appears filtered but you suspect RPC services are running.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-rpcbind/SKILL.MD
source content

RPCBind/Portmapper Pentesting

What is RPCBind?

RPCBind (also called Portmapper) is a service that maps network service ports to RPC (Remote Procedure Call) program numbers. It's a critical component in Unix-based systems that facilitates information exchange between systems.

Default ports: 111/TCP/UDP (32771 in Oracle Solaris)

Why it matters: Port 111 is frequently scanned by attackers because it reveals:

  • The type of Unix OS running
  • Available services on the system
  • NFS, NIS, and other RPC-based service details

Enumeration Techniques

Basic RPCInfo Enumeration

Start with 

rpcinfo
to list registered RPC services:

# Basic enumeration
rpcinfo <target>
rpcinfo -p <target>

# Example
rpcinfo irked.htb
rpcinfo -p 192.168.10.1

Advanced RPCInfo Usage

When TCP/111 is filtered, try UDP to pull the program list:

# Pull UDP program list even when TCP/111 is filtered
rpcinfo -T udp -p <target>

# Immediately check for world-readable NFS exports
showmount -e <target>

Nmap NSE Scripts

Use Nmap's RPC scripts for exhaustive mapping:

# Classic scan with RPC scripts
nmap --script=rpcinfo,rpc-grind -p111 <target>

# Multi-threaded brute-force of RPC program numbers
nmap --script=rpcinfo,rpc-grind --script-args 'rpc-grind.threads=8' -p111 <target>

# Basic port scan
nmap -sSUC -p111 <target>

What 

rpc-grind
does: Hammers the portmapper with null calls that walk the 
nmap-rpc
database, extracting supported versions when the remote daemon replies with "can't support version." This often reveals quietly registered services like 
rusersd
, 
rquotad
, or custom daemons.

Shodan Search

port:111 portmap

RPCBind + NFS Exploitation

If you find NFS services registered through RPCBind, you can likely list and download (and possibly upload) files.

# List NFS exports
showmount -e <target>

# Mount NFS share
mount -t nfs <target>:/<export> /mnt/nfs

# Or use nfsclient
nfsclient <target>:/<export> /mnt/nfs

Note: For detailed NFS exploitation techniques, see the NFS pentesting documentation.

NIS (Network Information Service) Exploitation

NIS vulnerabilities involve a two-step process: identify the 

ypbind
service, then uncover the NIS domain name.

Step 1: Install NIS Tools

apt-get install nis

Step 2: Confirm NIS Server Presence

# Ping the NIS server with domain name and server IP
ypwhich -d <domain-name> <server-ip>

Step 3: Extract Sensitive Data

# Extract user credentials (encrypted passwords)
ypcat -d <domain-name> -h <server-ip> passwd.byname

# Extract other maps
ypcat -d <domain-name> -h <server-ip> hosts.byname
ypcat -d <domain-name> -h <server-ip> group.byname

NIS Map Files Reference

Master FileMap(s)Notes
/etc/hostshosts.byname, hosts.byaddrHostnames and IP details
/etc/passwdpasswd.byname, passwd.byuidNIS user password file
/etc/groupgroup.byname, group.bygidNIS group file
/usr/lib/aliasesmail.aliasesMail aliases

After extraction: Crack the password hashes using John the Ripper or Hashcat to reveal system access credentials.

RPC Users Enumeration

If you find the rusersd service listed in RPCInfo output, you can enumerate users on the target system.

# Check for rusersd in rpcinfo output
rpcinfo -p <target>

# Look for program 100003 (rusersd)

Bypassing Filtered Portmapper Port

When port 111 is filtered but NFS ports are open, you can bypass the filter by simulating a portmapper service locally and creating a tunnel.

Technique:

  1. Simulate a portmapper service on your local machine
  2. Create a tunnel from your machine to the target
  3. Use standard tools to exploit the NFS services

This allows exploitation even when port 111 appears filtered.

Practical Examples

Example 1: Basic Enumeration

# Target: 10.10.10.10
rpcinfo -p 10.10.10.10

# Output might show:
# program vers proto   port  service
# 100000  2   tcp    111  portmapper
# 100000  2   udp    111  portmapper
# 100003  2   tcp    1026  rusersd
# 100005  1   tcp    2049  nfs
# 100005  1   udp    2049  nfs

Example 2: NIS Password Extraction

# Install tools
apt-get install nis

# Find NIS domain and server
ypwhich -d <domain> <server-ip>

# Extract password hashes
ypcat -d <domain> -h <server-ip> passwd.byname > passwd_hashes.txt

# Crack with John
john --wordlist=/usr/share/wordlists/rockyou.txt passwd_hashes.txt

Example 3: Nmap RPC Scan

# Comprehensive RPC scan
nmap --script=rpcinfo,rpc-grind --script-args 'rpc-grind.threads=8' -p111 192.168.1.100

# Output shows all registered RPC programs and versions

Common RPC Program Numbers

ProgramNumberService
portmapper100000RPCBind
rusersd100003Remote Users
nfs100005Network File System
mountd100005NFS Mount
ypserv100004NIS Server
ypbind100004NIS Client

Labs to Practice

  • Irked HTB Machine: Practice these techniques on the Irked HackTheBox machine

Quick Reference Commands

# Basic enumeration
rpcinfo -p <target>

# UDP enumeration (when TCP filtered)
rpcinfo -T udp -p <target>

# Nmap RPC scan
nmap --script=rpcinfo,rpc-grind -p111 <target>

# NFS exports
showmount -e <target>

# NIS password extraction
ypcat -d <domain> -h <server-ip> passwd.byname

# NIS server discovery
ypwhich -d <domain> <server-ip>

References