Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
An attacker scan for RPC services listing on a Unix/Linux host. This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port.
There are two general approaches to RPC scanning. One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly. Discovering RPC services gives the attacker potential targets to attack, as some RPC services are insecure by default.
Target Attack Surface Description
Targeted OSI Layers: Transport Layer
Target Attack Surface Localities
Target Attack Surface Types: Host Service
The ability to craft custom RPC datagrams for use during network reconnaissance. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response.
[R.307.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.307.2] [REF-27] J. Postel. "RFC768 - User Datagram Protocol". August 28, 1980. <http://www.faqs.org/rfcs/rfc768.html>.
[R.307.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 7.5.2 RPC Grinding, pg. 156. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
More information is available — Please select a different filter.