Skip to content

Research Update Enhanced src/network-services-pentesting/pen... #1647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
carlospolop merged 1 commit into from
Dec 16, 2025
+18 −4
Merged

Research Update Enhanced src/network-services-pentesting/pen... #1647

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions src/network-services-pentesting/pentesting-rpcbind.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,19 @@ Sometimes it doesn't give you any information, in other occasions you will get s

![](<../images/image (553).png>)

### Advanced `rpcinfo` usage

Leverage `rpcinfo -T udp -p <target>` to pull the UDP program list even when TCP/111 is filtered, then immediately run `showmount -e <target>` to spot world-readable NFS exports registered through rpcbind.

```bash
rpcinfo -T udp -p 10.10.10.10
showmount -e 10.10.10.10
```

### Exhaustive mapping with Nmap NSE

Pair the classic scan with `nmap --script=rpcinfo,rpc-grind -p111 <target>` to brute-force RPC program numbers. `rpc-grind` hammers the portmapper with null calls that walk the `nmap-rpc` database, extracting supported versions whenever the remote daemon replies with "can't support version," which often reveals quietly registered services such as rusersd, rquotad or custom daemons. Multi-threading via `--script-args 'rpc-grind.threads=8'` speeds up large targets while the companion `rpcinfo` script prints human-readable tables you can diff against host baselines.

### Shodan

- `port:111 portmap`
Expand All @@ -35,7 +48,7 @@ If you find the service NFS then probably you will be able to list and download(

![](<../images/image (872).png>)

Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
Read [2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.

## NIS

Expand Down Expand Up @@ -77,9 +90,6 @@ You could enumerate users of the box. To learn how read [1026 - Pentesting Rsuse

When conducting a **nmap scan** and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by **simulating a portmapper service locally and creating a tunnel from your machine** to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at [this link](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc).

## Shodan

- `Portmap`

## Labs to practice

Expand Down Expand Up @@ -112,6 +122,10 @@ Entry_3:
Command: nmap -sSUC -p 111 {IP}
```

## References

- [Nmap NSE: rpc-grind](https://nmap.org/nsedoc/scripts/rpc-grind.html)

{{#include ../banners/hacktricks-training.md}}


Expand Down