rpcinfo/showmount

RPC or Remote Procedure Call is a protocol on which services such as NFS, NIS, SAMBA are based. Essentially RPC facilitates the process of encoding and decoding requests between clients and servers. When a client tries to connect to an NFS service RPC take the control and maps the request to the port on which the service is listening. If we are looking for compromise this type of service, it will be necessary to analyze how RPC works, so in this lesson, we will examine this protocol.

Network File System And RPC

Wikipedia says:

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984,[1]allowing a user on a client computer to access files over a computer network much like local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. The NFS is an open standard defined in Request for Comments (RFC), allowing anyone to implement the protocol.

As we can see NSF is a service that is based on RPC, so we will configure an NFS server in order to examine the operation of RPC.

Setup an NFS-Server (192.168.122.131)

We can use infosecaddicts ubuntu VM and install NFS-Server as continue:

sudo su
apt-get update
sudo apt install nfs-kernel-server

After install, we can check:

systemctl status nfs-server

Now, We will publish a directory for testing purposes, for that we need to edit /etc/exports and copy :

/home/infosecaddicts/backups 192.168.122.0/24(rw,sync,no_subtree_check)

Finally, Restart the VM.

Setup our local Machine

In our local machine install rpcbind and nfs-common (nfs-client) components:

sudo su
apt install rpcbind nfs-common

rpcbind allows us to run the rpcinfo command that helps us to get information about RCP services in a given system, rpcinfo makes an RPC call to an RPC server and reports what it finds.

With nfs-common, we get all the client tools to successfully connect to an NFS-Server.

Enumerating RPC services:

rpcinfo/showmount commands:

Once our lab has been configured, we can focus and  see what type of information we can obtain from the NFS-server:

Now, from our local machine run:

rcpinfo -p 192.168.122.131

After running rpcinfo command we get a lot of interest information:

  • All the services (RPC) that are running on the NFS-server (192.168.122.131).
  • The default port for RPC services (111).
  • The ports associated with each service.
  • The information about another RPC services (such as nfs, nlockmgr, quotad, mountd, etc.)
  • The protocol used by each service UDP, TCP.

If after doing a scan we detect port 111, we can say that in the target server there is a NIS, NFS, CIF or SAMBA type service waiting for remote connections. Also, rpcinfo tells us what service he is listening to. In the image above we can see that there is an NFS service running at port TCP/UDP 2049. When rpcinfo command run, the local host makes an RPC call to the NFS-server (port 111), Next, it consults with portmapper to determine where the RPC server is listening.

The most important thing is that through RCP we can list other services, in our case we see the NFS service and the ports in which it is waiting for connections.

with nmap we can scan and see a result similar to the previous one:

run:

nmap -Sc -p111 192.168.122.131

Finally, since that we have verified that an NFS service is running, we can deepen and see what else we can obtain.

run to export a list of directories:

showmount -e 192.168.122.131

Try to mount the directory:

sudo mount -t nfs 192.168.122.131:/home/infosecaddicts/backcups /tmp/nfs

Check for Files system mount on our local machine:

mount

As you have been able to analyze, examining RPC-type services allows us to obtain a lot of information not only from the network infrastructure, but also we can assemble a network folder and obtain the files that are there.

 

Avatar

This post was written by Ruben Dario Caravajal Herrera