Home > CAPEC List > CAPEC-307: TCP RPC Scan (Version 2.9)  


Definition in a New Window Definition in a New Window
Attack Pattern ID: 307
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker scan for RPC services listing on a Unix/Linux host. This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port.

  • 1. Speed: Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types
  • 2. Stealth: RPC scanning is not stealthy, as IPS/IDS systems detect RPC queries
  • 3. Open Port: Can only detect open ports when an RPC service responds
  • 4. Closed Port: Detects closed ports on the basis of ICMP diagnostic messages.
  • 5. Filtered Port: Cannot identify filtered ports
  • 6. Unfiltered Port: Cannot identify unfiltered ports

There are two general approaches to RPC scanning. One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly. Discovering RPC services gives the attacker potential targets to attack, as some RPC services are insecure by default.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities


Target Attack Surface Types: Host Service

+ Attack Prerequisites
  • RPC scanning requires no special privileges when it is performed via a native system utility.

+ Typical Severity


+ Resources Required

The ability to craft custom RPC datagrams for use during network reconnaissance. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
"Varies by context"
Bypass protection mechanism
Hide activities
+ References
[R.307.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.307.2] [REF-27] J. Postel. "RFC768 - User Datagram Protocol". August 28, 1980. <http://www.faqs.org/rfcs/rfc768.html>.
[R.307.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 7.5.2 RPC Grinding, pg. 156. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
[R.307.4] [REF-10] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://www.phrack.org/issues.html?issue=51&id=11#article>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015