CAPEC-307: TCP RPC Scan
An adversary scans for RPC services listing on a Unix/Linux host.
Last updated
Overview
This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port. Discovering RPC services gives the adversary potential targets to attack, as some RPC services are insecure by default. Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types, are easily detected by IPS/IDS systems, and can only detect open ports when an RPC service responds. ICMP diagnostic message responses can help identify closed ports, however filtered and unfiltered ports cannot be identified through TCP RPC scans. There are two general approaches to RPC scanning: One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Experiment
An adversary sends RCP packets to target ports.
- Step 2Experiment
An adversary uses the response from the target to determine which, if any, RPC service is running on that port. Responses will vary based on which RPC service is running.
What the attacker needs
Prerequisites
- RPC scanning requires no special privileges when it is performed via a native system utility.
Resources required
- The ability to craft custom RPC datagrams for use during network reconnaissance via native OS utilities or a port scanning tool. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Consequences
What a successful CAPEC-307 attack can achieve.
Other
Affects: Confidentiality
Bypass Protection Mechanism, Hide Activities
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-307.
- Typically, an IDS/IPS system is very effective against this type of attack.
Frequently asked questions
Common questions about CAPEC-307.
- What is CAPEC-307?
- An adversary scans for RPC services listing on a Unix/Linux host.
- How does a TCP RPC Scan attack work?
- It typically unfolds over 2 phases. It begins with: An adversary sends RCP packets to target ports.
- How do you prevent CAPEC-307?
- Typically, an IDS/IPS system is very effective against this type of attack.
- What weaknesses does CAPEC-307 target?
- CAPEC-307 exploits 1 CWE weakness, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
- How severe is CAPEC-307?
- MITRE rates CAPEC-307 as Low severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-307
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.