Nmap Announce mailing list archives

RPC portscanning

From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Thu, 17 Dec 1998 12:05:52 -0800

On Thu, 17 Dec 1998, Evan Brewer wrote:

On Thu, Dec 17, 1998 at 10:54:43AM -0800, Lamont Granquist wrote:

I talked with Fyodor about adding RPC service portscanning to NMAP, so
that NMAP would be able to query ports with null RPC commands to figure
out which RPC service was listening, if any (I haven't looked at RPC
closely enough to figure out if you could do this with one query, or if
you'd need to send queries for every service that you'd be interested in
knowing about, anyway...).  Fyodor's opinion was that NMAP should try to
stay away from doing 'application' level stuff as much as possible and
that the identd scanning and such in the current version was pushing it.


An interesting idea, however anything extrapolated from rpc may also (under
most conditions) be determined by a normal port scan.  There is nothing that
(Most of the time,) rpcinfo will tell you that a port scan wont.  Lets say
port 2049/tcp is open.  Odds are this guy has NFS.


That's only a characteristic of NFS.  To my knowledge it (and the
portmapper) are the only ones that you can assume that a given port
corresponds to a given service -- and even with NFS the RFC states that
programs should not assume that port 2049 is NFS and that this is
potentially subject to change.  To give you an example, here are the ports
that I just found mountd running on on a dozen machines that I just ran
rpcinfo -p over:

UDP: 3796 1122 1075 725 812 635 12441 12442 1126 1127 32929 33010 716 722 
TCP: 908 976 932 727 814 635 27972 27975  1024 1025 32776 32788 719 725

(okay, it was 15 machines with 14 different port numbers)

Anyway, I'd certainly think that RPC service scanning would be a hell of a
lot more generally useful than teaching NMAP about SNMP, but can
appreciate the sentiment behind not wanting to promote code bloat and not
wanting to do either of them.


May be useful yes, however getting this info in a stealthlike matter requires
a connection to portmap.


I'm not sure what you mean here.  That's actually *not* a stealthy way to
do it, since the portmap could be wrapped against libwrap.a (from
tcp_wrappers) and queries from foreign hosts could be denied and logged.
On the other hand, many RPC services themselves have no access control and
very limited logging capabilities.  I'd personally feel a whole lot
stealthier in scanning a network from 600-1024 using stealth scan and then
querying the service directly to figure out what it was.  Tripwiring
against that kind of a scan is more difficult, requiring either the
sources to the RPC programs, some kind of kludgy hack like securelib, or
a firewall with logging.

-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka

Current thread:

SNMP to nmap? Michael Dodwell (Dec 16)
- Re: SNMP to nmap? Emerson (Dec 17)
  - Re: SNMP to nmap? Matthew Franz (Dec 17)
    - Re: SNMP to nmap? Lamont Granquist (Dec 17)
    - NMAP IRIX Port Lamont Granquist (Dec 17)
    - Hey, Fyodor, How does this OS Scan stuff work? Lamont Granquist (Dec 17)
    - Re: SNMP to nmap? Evan Brewer (Dec 17)
    - RPC portscanning Lamont Granquist (Dec 17)
    - Re: RPC portscanning Evan Brewer (Dec 17)
    - Re: SNMP to nmap? ubik (Dec 17)
    - Re: SNMP to nmap? Evan Brewer (Dec 17)
- <Possible follow-ups>
- Re: SNMP to nmap? James W. Abendschan (Dec 17)