id: rpcbind-portmapper-detect

info:
  name: Rpcbind Portmapper - Detect
  author: geeknik
  severity: info
  description: Rpcbind portmapper was detected.
  reference: https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
  metadata:
    max-request: 1
    shodan-query: port:"111"
    verified: true
  tags: network,rpcbind,portmap,detect

tcp:
  - inputs:
      - data: 8000002836ed646d0000000000000002000186a0000000040000000400000000000000000000000000000000
        type: hex

    host:
      - "{{Hostname}}"
    port: 111

    matchers:
      - type: word
        words:
          - "/run/rpcbind.sock"
# digest: 4b0a00483046022100d9265d34f5765ac8f6f4716a9aaccb2c566c6276019a306ab138208d0c971d8f022100eefe6b25c11f23f989f9b7f09450ad8b9a335b2bef4419ce3315f62746443c51:922c64590222798bb761d5b6d8e72950