Merge pull request #1647 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-rpcbind_20251208_083146

Research Update Enhanced src/network-services-pentesting/pen...

Author: carlospolop

src/network-services-pentesting/pentesting-rpcbind.md

@@ -25,6 +25,19 @@ Sometimes it doesn't give you any information, in other occasions you will get s
 
 ![](<../images/image (553).png>)
 
+### Advanced `rpcinfo` usage
+
+Leverage `rpcinfo -T udp -p <target>` to pull the UDP program list even when TCP/111 is filtered, then immediately run `showmount -e <target>` to spot world-readable NFS exports registered through rpcbind.
+
+```bash
+rpcinfo -T udp -p 10.10.10.10
+showmount -e 10.10.10.10
+```
+
+### Exhaustive mapping with Nmap NSE
+
+Pair the classic scan with `nmap --script=rpcinfo,rpc-grind -p111 <target>` to brute-force RPC program numbers. `rpc-grind` hammers the portmapper with null calls that walk the `nmap-rpc` database, extracting supported versions whenever the remote daemon replies with "can't support version," which often reveals quietly registered services such as rusersd, rquotad or custom daemons. Multi-threading via `--script-args 'rpc-grind.threads=8'` speeds up large targets while the companion `rpcinfo` script prints human-readable tables you can diff against host baselines.
+
 ### Shodan
 
 - `port:111 portmap`
@@ -35,7 +48,7 @@ If you find the service NFS then probably you will be able to list and download(
 
 ![](<../images/image (872).png>)
 
-Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
+Read [2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
 
 ## NIS
 
@@ -77,9 +90,6 @@ You could enumerate users of the box. To learn how read [1026 - Pentesting Rsuse
 
 When conducting a **nmap scan** and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by **simulating a portmapper service locally and creating a tunnel from your machine** to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at [this link](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc).
 
-## Shodan
-
-- `Portmap`
 
 ## Labs to practice
 
@@ -112,6 +122,10 @@ Entry_3:
   Command: nmap -sSUC -p 111 {IP}
 ```
 
+## References
+
+- [Nmap NSE: rpc-grind](https://nmap.org/nsedoc/scripts/rpc-grind.html)
+
 {{#include ../banners/hacktricks-training.md}}