MEDIUM: Open Portmapper Report

DESCRIPTION LAST UPDATED: 2023-12-18

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have the Portmapper service running and accessible on the public Internet.

This service has the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. For general information on this service, see Wikipedia. See US-CERT Alert TA14-017A) and Level3’s Blog for more.

In addition to being used in denial of service attacks, portmapper can be used to obtain a large amount of information about the target, including the NFS exports that are hosted by that device, if the mountd program is also accessible.

The analogous shell command to mimic our portmapper scan is:

rpcinfo -T udp -p [IP]

And the analogous shell command that mimics our probe of the mountd program is:

showmount -e [IP]

For simplicity, the programs in the output of the portmapper scan are kept numeric, but below is a mapping of common program numbers to names:

  • Program Number
    Program Name
  • 100000
    portmapper
  • 100003
    nfs
  • 100005
    mountd
  • 100021
    nlockmgr
  • 100024
    status

You can track latest portmapper exposure on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_portmapper

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the portmapper response came on (always UDP)
  • port
    Port that the portmapper response came from (usually 111/UDP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be portmapper
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • programs
    Semicolon delimited list of programs that portmapper claims to have accessible — the format of each entry is "[program number] [program version] [port/protocol];"
  • mountd_port
    Mountd port that was probed for NFS exports (if mountd is found to be running on the host)
  • exports
    Semicolon delimited list of NFS exports that the host claims to have available — the format of each entry is "[exported directory] [list of group restrictions (if any) for that export];"
  • sector
    Sector the IP belongs to
  • response_size
    Response size in bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","programs","mountd_port","exports","sector","response_size","amplification"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,111,node01.example.com,portmapper,64512,ZZ,Region,City,0,ptr,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;",,"/mnt/export 192.168.0.0","Communications, Service Provider, and Hosting Service",148,3.70
"2010-02-10 00:00:01",medium,192.168.0.2,udp,111,node02.example.com,portmapper,64512,ZZ,Region,City,0,,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100005 1 892/udp; 100005 1 892/udp; 100005 2 892/udp; 100005 2 892/udp; 100005 3 892/udp; 100005 3 892/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100021 1 40451/udp; 100021 3 40451/udp; 100021 4 40451/udp; 100021 1 45039/udp; 100021 3 45039/udp; 100021 4 45039/udp; 100024 1 50510/udp; 100024 1 47810/udp;",,"/mnt/export 192.168.0.0",,508,12.70
"2010-02-10 00:00:02",medium,192.168.0.3,udp,111,node03.example.com,portmapper,64512,ZZ,Region,City,0,ptr,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;",,"/mnt/export 192.168.0.0","Communications, Service Provider, and Hosting Service",148,3.70

Our 132 Report Types