111/TCP/UDP - Pentesting Portmapper

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Portmapper ni huduma inayotumika kuoanisha bandari za huduma za mtandao na nambari za programu za RPC. Inafanya kazi kama kipengele muhimu katika Unix-based systems, ikirahisisha kubadilishana kwa taarifa kati ya mifumo hii. Bandari inayohusishwa na Portmapper mara nyingi huangaliwa na wadukuzi kwa sababu inaweza kufichua taarifa muhimu. Taarifa hizi zinajumuisha aina ya Unix Operating System (OS) inayokimbia na maelezo kuhusu huduma zinazopatikana kwenye mfumo. Zaidi ya hayo, Portmapper mara nyingi hutumika pamoja na NFS (Network File System), NIS (Network Information Service), na huduma nyingine zinazotegemea RPC kusimamia huduma za mtandao kwa ufanisi.

Bandari ya chaguo-msingi: 111/TCP/UDP, 32771 kwa Oracle Solaris

PORT    STATE SERVICE
111/tcp open  rpcbind

Uorodheshaji

rpcinfo irked.htb
nmap -sSUC -p111 192.168.10.1

Wakati mwingine haikutoi taarifa yoyote, katika nyakati nyingine utapata kitu kama hiki:

Matumizi ya juu ya rpcinfo

Tumia rpcinfo -T udp -p <target> kuvuta orodha ya programu za UDP hata wakati TCP/111 imechujwa, kisha endesha mara moja showmount -e <target> kugundua NFS exports zinazoweza kusomwa na wote zilizosajiliwa kupitia rpcbind.

rpcinfo -T udp -p 10.10.10.10
showmount -e 10.10.10.10

Uchambuzi wa kina na Nmap NSE

Pangilia skani ya jadi pamoja na nmap --script=rpcinfo,rpc-grind -p111 <target> ili brute-force nambari za programu za RPC. rpc-grind inapiga portmapper kwa null calls ambazo zinapitia database ya nmap-rpc, zikitoa toleo zinazoungwa mkono kila daemon ya mbali inapojibu “can’t support version”, jambo ambalo mara nyingi linafunua huduma zilizojisajili kimya kama rusersd, rquotad au daemons maalum. Multi-threading via --script-args 'rpc-grind.threads=8' inafufua malengo makubwa kwa kasi huku script sambamba rpcinfo ikichapisha jedwali linalosomeka ambalo unaweza diff dhidi ya host baselines.

Shodan

  • port:111 portmap

RPCBind + NFS

Ikiwa unapata huduma ya NFS basi kuna uwezekano utaweza kuorodhesha na kupakua(and maybe upload) faili:

Read 2049 - Pentesting NFS service to learn more about how to test this protocol.

NIS

Kuchunguza udhaifu wa NIS kunahusisha mchakato wa hatua mbili, kuanzia na utambuzi wa huduma ypbind. Jiwe msingi la uchunguzi huu ni kufichua NIS domain name, bila yake maendeleo yanasimama.

Safari ya uchunguzi inaanza na ufungaji wa vifurushi vinavyohitajika (apt-get install nis). Hatua inayofuata inahitaji kutumia ypwhich kuthibitisha kuwepo kwa server ya NIS kwa kuipiga ping kwa kutumia domain name na server IP, ukihakikisha vipengele hivi vimefichwa ili usalama.

Hatua ya mwisho na muhimu inahusisha amri ya ypcat kuchimba data nyeti, hasa nywila za watumiaji zilizosimbwa. Hizi hashes, mara zikivunjwa kwa kutumia zana kama John the Ripper, zinafunua taarifa kuhusu ufikiaji wa mfumo na ruhusa.

# Install NIS tools
apt-get install nis
# Ping the NIS server to confirm its presence
ypwhich -d <domain-name> <server-ip>
# Extract user credentials
ypcat –d <domain-name> –h <server-ip> passwd.byname

Faili za NIF

Faili KuuRamani(za)Maelezo
/etc/hostshosts.byname, hosts.byaddrInajumuisha majina ya mwenyeji na maelezo ya IP
/etc/passwdpasswd.byname, passwd.byuidFaili ya nywila ya mtumiaji wa NIS
/etc/groupgroup.byname, group.bygidFaili ya kikundi cha NIS
/usr/lib/aliasesmail.aliasesIna maelezo ya aliases za barua

Watumiaji wa RPC

Ikiwa unapata huduma ya rusersd imeorodheshwa hivi:

Unaweza kuorodhesha watumiaji wa mashine. Ili kujifunza jinsi, soma 1026 - Pentesting Rsusersd.

Kupita portmapper yenye port iliyochujwa

Wakati unafanya nmap scan na kugundua ports za NFS zilizo wazi ukiwa port 111 imechujwa, exploitation ya moja kwa moja ya ports hizi haiwezekani. Hata hivyo, kwa kuiga huduma ya portmapper ndani ya mashine yako na kuunda tuneli kutoka kwa mashine yako hadi lengo, exploitation inawezekana kutumia zana za kawaida. Mbinu hii inaruhusu kupita kwenye hali iliyochujwa ya port 111, na hivyo kuwezesha kupata huduma za NFS. Kwa mwongozo wa kina kuhusu njia hii, rejea makala iliyo kwenye this link.

Maabara za kufanya mazoezi

HackTricks Amri za Kiotomatiki

Protocol_Name: Portmapper    #Protocol Abbreviation if there is one.
Port_Number:  43     #Comma separated if there is more than one.
Protocol_Description: PM or RPCBind        #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for PortMapper
Note: |
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-rpcbind.html

Entry_2:
Name: rpc info
Description: May give netstat-type info
Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43

Entry_3:
Name: nmap
Description: May give netstat-type info
Command: nmap -sSUC -p 111 {IP}

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks