1 # UDP mountd call. Use as input to find mount daemons and avoid portmap. 2 # Useful proc numbers are 2, 5, and 6. 3 # UDP-scan around between 600-800 to find most mount daemons. 4 # Using this with "2", plugged into "nc -u -v -w 2 victim X-Y" will 5 # directly scan *and* dump the current exports when mountd is hit. 6 # combine stdout *and* stderr thru "strings" or something to clean it up 7 8 000 # XID: 4 trash bytes 9 001 10 002 11 003 12 13 000 # CALL: 0 14 000 15 000 16 000 17 18 000 # RPC version: 2 19 000 20 000 21 002 22 23 000 # mount: 100005 24 001 25 0x86 26 0xa5 27 28 000 # mount version: 1 29 000 30 000 31 001 32 33 000 # procedure number -- put what you need here: 34 000 # 2 = dump [showmount -e] 35 000 # 5 = exportlist [showmount -a] 36 xxx # "sed s/xxx/$1/ | data -g | nc ..." or some such... 37 38 000 # port: junk 39 000 40 000 41 000 42 43 000 # auth trash 44 000 45 000 46 000 47 48 000 # auth trash 49 000 50 000 51 000 52 53 000 # auth trash 54 000 55 000 56 000 57 58 000 # extra auth trash? probably not needed 59 000 60 000 61 000 62 63 # that's it! 64