Secrets of Network Cartography

RPC Scan (-sR)
Requires Privileged Access: NO
Identifies TCP Ports: NO
Identifies UDP Ports: NO

A remote program call (RPC) scan is used to locate and identify RPC applications. After open ports are identified with another scan type, the RPC scan sends each open port an RPC null to provoke a response from any RPC application that might be running. The RPC scan runs automatically during a version scan (-sV).

The RPC scan is referenced as an RPCGrind scan in the nmap output.

PC Scan Operation
An RPC scan needs a list of open ports before it can begin querying for RPC applications. If a TCP or UDP scan type is not included on the command line, nmap will use the default scan type for the current permissions. For privileged users, nmap performs a TCP SYN scan (-sS), and for non-privileged users nmap performs a TCP connect() scan (-sT). The examples below display only the RPC scan information, and not the initial port scan.

This trace file shows the RPC query process that occurs for NFS on port 2049. The RPC NULL requests can be clearly seen as PROC=0:

Source         Destination    Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 SYN SEQ=2397105131 LEN=0 WIN=5840
[192.168.0.7] [192.168.0.8] TCP: D=51008 S=2049 SYN ACK=2397105132 SEQ=2432014017 LEN=0 WIN=65535
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 ACK=2432014018 WIN<<2=5840
[192.168.0.8] [192.168.0.7] RPC: C XID=59188766 PROG=Port mapper VERS=434311 PROC=0(Do nothing)
[192.168.0.7] [192.168.0.8] RPC: R XID=59188766 - Program unavailable
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 ACK=2432014046 WIN<<2=5840
[192.168.0.8] [192.168.0.7] RPC: C XID=59188767 PROG=Remote Statistics VERS=434311 PROC=0(?)
[192.168.0.7] [192.168.0.8] RPC: R XID=59188767 - Program unavailable
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 ACK=2432014074 WIN<<2=5840
[192.168.0.8] [192.168.0.7] RPC: C XID=59188768 PROG=Remote Users VERS=434311 PROC=0(?)
[192.168.0.7] [192.168.0.8] RPC: R XID=59188768 - Program unavailable
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 ACK=2432014102 WIN<<2=5840
[192.168.0.8] [192.168.0.7] RPC: C XID=59188769 PROG=NFS VERS=434311 PROC=0(Do nothing)
[192.168.0.7] [192.168.0.8] RPC: R XID=59188769 - Program version mismatch
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 ACK=2432014138 WIN<<2=5840
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 FIN ACK=2432014138 SEQ=2397105308 LEN=0 WIN<<2=5840
[192.168.0.7] [192.168.0.8] TCP: D=51008 S=2049 ACK=2397105309 WIN<<1=65358
[192.168.0.7] [192.168.0.8] TCP: D=51008 S=2049 FIN ACK=2397105309 SEQ=2432014138 LEN=0 WIN<<1=65358
[192.168.0.8] [192.168.0.7] TCP: D=2049 S=51008 ACK=2432014139 WIN<<2=5840

The RPC scan output shown the initial SYN scan (no specific scan type was specified on the command line), and then shows the results of the RPC scan (called RPCGrind Scan in the output):

# nmap -v -sR 192.168.0.7

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-22 23:12 EDT
Initiating SYN Stealth Scan against 192.168.0.7 [1663 ports] at 23:12
Discovered open port 22/tcp on 192.168.0.7
Increasing send delay for 192.168.0.7 from 0 to 5 due to max_successful_tryno increase to 4
Discovered open port 2049/tcp on 192.168.0.7
Discovered open port 111/tcp on 192.168.0.7
Discovered open port 886/tcp on 192.168.0.7
The SYN Stealth Scan took 10.26s to scan 1663 total ports.
Initiating RPCGrind Scan against 192.168.0.7 at 23:12
The RPCGrind Scan took 1.11s to scan 4 ports on 192.168.0.7.
Host 192.168.0.7 appears to be up ... good.
Interesting ports on 192.168.0.7:
(The 1659 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE                VERSION
22/tcp   open  ssh
111/tcp  open  rpcbind (rpcbind V2-4) 2-4 (rpc #100000)
886/tcp  open  unknown
2049/tcp open  nfs (nfs V2-3)         2-3 (rpc #100003)
MAC Address: 00:03:47:6D:28:D7 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 12.228 seconds
               Raw packets sent: 1900 (76KB) | Rcvd: 1664 (76.5KB)
#

Advantages of the RPC Scan
The RPC scan provides detailed RPC application and version information. If the remote device is running an RPC-based application, nmap will reveal everything!

Even if an RPC application is running on an unexpected port, the RPC scan will find it. The RPC scan sends an RPC null to all open ports, so it's impossible for an RPC application to hide in a little-used port!

Disadvantages of the RPC Scan
The RPC scan opens application sessions, so there will be transaction events in the application logs. Once the application is opened, the size of the conversation will vary. Some open ports will transfer data, but no RPC information. Other RPC applications will send a number of frames as nmap queries for the application name and version number.

Decoys don't currently work in conjunction with an RPC scan, although it may be a future nmap enhancement.

When to use the RPC Scan
If RPC applications are of interest, the RPC scan will efficiently and effectively locate all RPC applications and identify the RPC application name and version. The RPC scan automatically runs during a version scan, combining valuable version information with detailed RPC data.

clock

A UDP scan (-sU) may identify many ports as open|filtered, so the RPC scanning process may take significantly longer if each of these open|filtered ports are checked for RPC applications. Currently, there's no way to tell the RPC scan to ignore open|filtered ports and focus only clearly identified open ports.

Network Uptime

You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap

Network Uptime

You are reading:Secrets of Network Cartography: A Comprehensive Guide to nmap

You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap