Service:
rpcbind ,
portmap
Protocol:
TCP / UDPPort:
111Used for:
Mapping RPC services to portsWhy It’s Open
Used by NFS, NIS, and other RPC-based services to register and locate services. Common on Unix/Linux systems.
Common Risks
- Information Disclosure: Lists running RPC services and ports.
- DDoS Amplification: Older services respond with large payloads.
- NFS Abuse: Port 111 is often the first step in attacking NFS shares.
- Privilege Escalation: Exposed RPC services can lead to remote root access.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Check if it’s open
nmap -sV -p 111nmap -sU -p 111 --script=rpcinfoShow RPC services
rpcinfo -pWhat to Look For
| Checkpoint | What it means |
|---|---|
| Accessible portmap | Can enumerate services remotely |
| NFS or mountd open | Likely exploitable via 2049 |
| No firewall | External exposure is a red flag |
Known Exploits
- CVE-1999-0002
Same as above; this vulnerability also affects services utilizing RPCbind.
Mitigation
- Restrict access to trusted IPs.
- Use firewalls to block external 111 access.
- Audit and minimize exposed RPC services.
Real-Life Example
Exposed RPCbind was part of the kill chain in multiple NFS-based ransomware attacks where attackers remotely mounted shares after mapping them via port 111.
TL;DR
- Service: RPCbind / Portmapper
- Default Port: 111/TCP and UDP
- Risks: Remote code execution, service enumeration
- Mitigation: Restrict access, apply patches, monitor RPC services