Script rpc-grind

Script types: portrule
Categories: version

Script Summary

Fingerprints the target RPC port to extract the target service, RPC number and version.

The script works by sending RPC Null call requests with a random high version unsupported number to the target service with iterated over RPC program numbers from the nmap-rpc file and check for replies from the target port. A reply with a RPC accept state 2 (Remote can't support version) means that we the request sent the matching program number, and we proceed to extract the supported versions. A reply with an accept state RPC accept state 1 (remote hasn't exported program) means that we have sent the incorrect program number. Any other accept state is an incorrect behaviour.

See also:

Script Arguments


Number of grinding threads. Defaults to 4

mount.version, nfs.version, rpc.protocol

See the documentation for the rpc library.

Example Usage

nmap -sV <target>
nmap --script rpc-grind <target>
nmap --script rpc-grind --script-args 'rpc-grind.threads=8' -p <targetport>

Script Output

53344/udp open  walld   1 (RPC #100008)



  • Hani Benhabiles

License: Same as Nmap--See