Dark Mode

Settings

Capec-307 Detail

TCP RPC Scan

Detailed Communications Software Typical Severity: Low

Parents: 300

Threats: T60 T65 T80 T258 T273 T288 T291 T302 T334 T392 T407

Description

An adversary scans for RPC services listing on a Unix/Linux host.

Extended Description

This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port. Discovering RPC services gives the adversary potential targets to attack, as some RPC services are insecure by default. Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types, are easily detected by IPS/IDS systems, and can only detect open ports when an RPC service responds. ICMP diagnostic message responses can help identify closed ports, however filtered and unfiltered ports cannot be identified through TCP RPC scans. There are two general approaches to RPC scanning: One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly.
External ID Source Link Description
CAPEC-307 capec https://capec.mitre.org/data/definitions/307.html
CWE-200 cwe http://cwe.mitre.org/data/definitions/200.html
REF-33 reference_from_CAPEC Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill
REF-158 reference_from_CAPEC http://www.faqs.org/rfcs/rfc768.html J. Postel, RFC768 - User Datagram Protocol, 1980--08---28
REF-34 reference_from_CAPEC Gordon "Fyodor" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd "Zero Day" Edition,), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7
REF-130 reference_from_CAPEC http://phrack.org/issues/51/11.html Gordon "Fyodor" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997
Experiment

  1. An adversary sends RCP packets to target ports.

  2. An adversary uses the response from the target to determine which, if any, RPC service is running on that port. Responses will vary based on which RPC service is running.

  1. RPC scanning requires no special privileges when it is performed via a native system utility.
  1. The ability to craft custom RPC datagrams for use during network reconnaissance via native OS utilities or a port scanning tool. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Not present

Authorization Access Control Confidentiality
Bypass Protection Mechanism Bypass Protection Mechanism Other
Hide Activities Hide Activities Bypass Protection Mechanism
Hide Activities

Not present

We use cookies to ensure you get the best experience on our website.