CAPEC-307 - TCP RPC Scan

An attacker scan for RPC services listing on a Unix/Linux host. This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port.

There are two general approaches to RPC scanning. One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly. Discovering RPC services gives the attacker potential targets to attack, as some RPC services are insecure by default.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Scopes 2
  • "Varies by context"
  • Confidentiality
  • Hide activities
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • Confidentiality

RPC scanning requires no special privileges when it is performed via a native system utility.

The ability to craft custom RPC datagrams for use during network reconnaissance. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response.