1 # portmap dump request: like "rpcinfo -p" but via UDP instead 2 # send to UDP 111 and hope it's not a logging portmapper! 3 # split into longwords, since rpc apparently only deals with them 4 5 001 # 0x01 # . # XID: 4 trash bytes 6 002 # 0x02 # . 7 003 # 0x03 # . 8 004 # 0x04 # . 9 10 000 # 0x00 # . # MSG: int 0=call, 1=reply 11 000 # 0x00 # . 12 000 # 0x00 # . 13 000 # 0x00 # . 14 15 000 # 0x00 # . # pmap call body: rpc version=2 16 000 # 0x00 # . 17 000 # 0x00 # . 18 002 # 0x02 # . 19 20 000 # 0x00 # . # pmap call body: prog=PMAP, 100000 21 001 # 0x01 # . 22 134 # 0x86 # . 23 160 # 0xa0 # . 24 25 000 # 0x00 # . # pmap call body: progversion=2 26 000 # 0x00 # . 27 000 # 0x00 # . 28 002 # 0x02 # . 29 30 000 # 0x00 # . # pmap call body: proc=DUMP, 4 31 000 # 0x00 # . 32 000 # 0x00 # . 33 004 # 0x04 # . 34 35 # with AUTH_NONE, there are 4 zero integers [16 bytes] here 36 37 000 # 0x00 # . # auth junk: cb_cred: auth_unix = 1; NONE = 0 38 000 # 0x00 # . 39 000 # 0x00 # . 40 000 # 0x00 # . 41 42 000 # 0x00 # . # auth junk 43 000 # 0x00 # . 44 000 # 0x00 # . 45 000 # 0x00 # . 46 47 000 # 0x00 # . # auth junk 48 000 # 0x00 # . 49 000 # 0x00 # . 50 000 # 0x00 # . 51 52 000 # 0x00 # . # auth junk 53 000 # 0x00 # . 54 000 # 0x00 # . 55 000 # 0x00 # . 56 57 # The reply you get back contains your XID, int 1 if "accepted", and 58 # a whole mess of gobbledygook containing program numbers, versions, 59 # and ports that rpcinfo knows how to decode. For the moment, you get 60 # to wade through it yourself... 61