RPC is a remote procedure call (or a function call that carries out tasks on a different computer). RPC enumeration is the process of discovering what services are running on what port numbers.
Imagine you’re at home, but instructing your office machine to print a file—that's the sort of thing RPC does in a network. It's a way for client computers (like your laptop) and server computers (like a company's database) to communicate and accomplish things together.
Enumerating RPC services can aid in finding information leaks because it allows an attacker to map which systems are most vulnerable, potentially to be exploited at some point. Many people often confuse RPC enumeration with finger-pointing or scanning for vulnerabilities. Here’s the difference:
- RPC Enumeration: It's more about mapping services and ports, rather than necessarily discovering defects. It's learning about the topology of the network.
- Vulnerability Scanning: Searches for certain software or system weaknesses.
- Finger Pointing: Spins through a list of systems to retrieve simple information, such as who's logged in or what's executing.
Types of RPC services
RPC services can depend on different parts of a system. Think of these as ingredients a program needs to work properly.
- Machine dependencies: Machine dependencies are special files that an application requires in order to work properly. Client-specific dependencies are specific for a client machine on which an application runs. Server-specific dependencies are files that only run on an individual server machine to make sure the requested application runs properly once it is started up.
- Client-specific dependencies: RPC servers make calls to their client's applications via the RPC interface, which is identified by a transport layer protocol (TCP/IP) port number. This allows the RPC server to use a single port number for both client and server applications. Some RPC services operate on a single port number, while others operate on different ports. For example, RPC services that run on TCP/80 are identified by the port numbers 80 or 8080.
Important Points
- RPC services or RPC calls have to be saved to a file in order for them to be of use. RPC servers are not necessarily required for the software to run, and client-side applications are not necessarily required for an RPC server to exist.
- RPC is a term used by clients and servers for remote procedure calls within an operating system (OS) or network application, such as an API. It is also a file type in UNIX systems, but it is not required in UNIX OS (such as Linux).
- One point of confusion between RPC dependency enumeration and “finger pointing” is that you are aiming at the machine rather than the service which might be running on the machine.
Key Points About RPC Enumeration
To make RPC enumeration crystal clear, here are the most important things to know:
- RPC is a protocol that makes use of the remote procedure call (RPC) framework. Thus, it is differentiated from other protocols due to its focus on services rather than applications. RPC applications are similar to services, but they are more specific.
- Clients connect to an application over a network in order to run it, while they connect to service once the connection is done. Also, the services that run on a machine via RPC might not necessarily be RPC applications.
- RPC is also an acronym for “Real-time Publish/Subscribe.” This is relevant because Real-time Publish/Subscribe can be used in conjunction with RPC services as well. Also, RPC ports cannot be trusted, so it is possible that there could be another application running on that port aside from the one you intend.
Why Do RPC Enumeration?
RPC enumeration is a big problem for Linux network administration and security since it:
- Finds Information Leaks: Reveals services that may be exposing sensitive information, such as user lists or system information.
- Maps Vulnerabilities: Allows ethical hackers to discover systems that may be vulnerable if not patched.
- Improves Security: Informs sysadmins what is being run on their network, so they can secure it.
- Aids Penetration Testing: Gives security pros a starting point for testing network defenses.
Several Linux tools make RPC enumeration easier. Here’s a rundown of the most popular ones we’ll cover, with detailed steps for each:
- rpcinfo: It is a built-in Linux command to list a RPC services and their ports on the target system.
- nmap: It is a powerful network scanning tool with scripts for RPC discovery.
- enum4linux: A tool for enumerating RPC and SMB services, especially in Windows or mixed networks.
- rpcbind: A utility to query RPC bindings and services on Linux systems.
How to do RPC Enumeration on Linux
We’ll assume you’re scanning a test system with IP 192.168.1.10 (replace with your target’s IP or localhost for your own machine).
rpcinfo is a simple, built-in Linux command for querying RPC services. It’s perfect for beginners because it’s straightforward and often pre-installed.
Step 1. Open the terminal and run rpcinfo command to List RPC services on the target system:
rpcinfo -p 192.168.1.10
- -p: Probes the target for RPC services.
- 192.168.1.10: The target IP. Use localhost to scan your own machine.
Example output:
program vers proto port service
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 3 tcp 2049 nfs
100005 1 tcp 32771 mountd
100024 1 udp 32772 status
Step 2. After this we list the services then examine the outcome
- Port 111: Often to be used by portmapper, an ordinary RPC service that translates other RPC programs onto ports.
- Port 2049: Suggests NFS (Network File System), which may share files but could be attacked if incorrectly set up.
Note: rpcinfo requires the target to have rpcbind running. If you get “connection refused,” the system might not support RPC or has a firewall blocking port 111.
2. nmap
nmap is a network scanning utility with RPC enumeration scripts and is well suited for penetration testing and comprehensive scans.
Step 1: Run nmap with RPC Script to enumerate RPC services
nmap --script rpcinfo 192.168.1.10
- --script rpcinfo: Runs nmap’s RPC enumeration script.
- 192.168.1.10: The target IP.
Example Output:
PORT STATE SERVICE
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 3 2049/tcp nfs
| 100005 1 32771/tcp mountd
|_ 100024 1 32772/udp status
Step 2: Then scan all the ports for RPC services to obtain more information:
nmap -p- --script rpcinfo 192.168.1.10
- -p-: Scans all 65,535 ports to find non-standard RPC service
Step 3: After retrieving all the information analyze the results
- nmap output compare with rpcinfo to verify services.
- Search for high-risk services such as NFS (port 2049) or mountd, which could permit unauthorized access to files if incorrectly configured.
- Scan for dynamic ports (e.g., 32771) with unusual services.
Security Considerations
Enumeration of RPC can reveal sensitive data, so use it responsibly:
- Legal Compliance: Scan only those systems that you own or have specific authorization to test. Unauthorized network scanning is illegal.
- Minimize Impact: Avoid intense scans (e.g., nmap -p-) on production servers to minimize interruptions.
- Secure RPC Services:
- Disable unused services: sudo systemctl disable rpcbind.
- Use firewalls: sudo ufw deny 111 to block port 111 from the outside.
- Update software: sudo apt update && sudo apt upgrade to patch vulnerabilities.
- Monitor Logs: Check for suspicious RPC traffic in Linux logs (/var/log/syslog or /var/log/messages).
- Use Secure Ports: Utilize encrypted protocols (e.g., SSH over RPC) for sensitive actions.
Conclusion:
RPC service enumeration is not the same as finding out what your target's vulnerabilities are. It is more about taking note of specific information about the network in general. This can involve approaching an RPC server and learning more about it, but you cannot do so without having to first check for vulnerabilities. Every other method for digging for information about something or someone usually involves vulnerability analysis first.