How to Nmap for CVE-2020-17051 - Windows Network File System Remote Code Execution Vulnerability
Because of CVE-2020-17051 (9.8 Critical, Windows Network File System Remote Code Execution Vulnerability), not sure what machine was providing NFS.
Needed to scan them:
$ sudo nmap -sS -pT:2049,111,U:2049,111 192.168.1.0/24 -oA nfs_scan
$ grep -i "open" nfs_scan.gnmap
Host: 192.168.1.50 (backup-srv.domian.local) Ports: 111/open/tcp//rpcbind///, 2049/open/tcp//nfs///
Host: 192.168.1.60 (printer1.domain.local) Ports: 111/open/tcp//rpcbind///, 2049/open/tcp//nfs///
Host: 192.168.1.50 (backup-srv.domian.local) Ports: 111/open/tcp//rpcbind///, 2049/open/tcp//nfs///
Host: 192.168.1.60 (printer1.domain.local) Ports: 111/open/tcp//rpcbind///, 2049/open/tcp//nfs///
One is for Veeam Backup & Replication; another is a Ricoh Printer.
On the backup-srv.domian.local:
PS C:\Windows\system32> netstat -ano | FINDSTR "111"
TCP 0.0.0.0:111 0.0.0.0:0 LISTENING 2532
TCP 0.0.0.0:111 0.0.0.0:0 LISTENING 2532
PS C:\Windows\system32> netstat -ano | FINDSTR "2049"
TCP 0.0.0.0:2049 0.0.0.0:0 LISTENING 2532
TCP 0.0.0.0:2049 0.0.0.0:0 LISTENING 2532
PS C:\Windows\system32> tasklist /fi "pid eq 2532"
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
VeeamNFSSvc.exe 2532 Services 0 6,932 K
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
VeeamNFSSvc.exe 2532 Services 0 6,932 K
It is for Veeam Backup & Replication.
No server providing Windows Network File System.
References
Update