data/showmount.d - platform/external/netcat - Git at Google

 # UDP mountd call.  Use as input to find mount daemons and avoid portmap.
 # Useful proc numbers are 2, 5, and 6.
 # UDP-scan around between 600-800 to find most mount daemons.
 # Using this with "2", plugged into "nc -u -v -w 2 victim X-Y" will
 # directly scan *and* dump the current exports when mountd is hit.
 # combine stdout *and* stderr thru "strings" or something to clean it up

 000	# XID: 4 trash bytes
 001
 002
 003

 000	# CALL: 0
 000
 000
 000

 000	# RPC version: 2
 000
 000
 002

 000	# mount: 100005
 001
 0x86
 0xa5

 000	# mount version: 1
 000
 000
 001

 000	# procedure number -- put what you need here:
 000	#	2 = dump  [showmount -e]
 000	#	5 = exportlist [showmount -a]
 xxx	# "sed s/xxx/$1/ | data -g | nc ..."  or some such...

 000	# port: junk
 000
 000
 000

 000	# auth trash
 000
 000
 000

 000	# auth trash
 000
 000
 000

 000	# auth trash
 000
 000
 000

 000	# extra auth trash?  probably not needed
 000
 000
 000

 # that's it!
	# UDP mountd call. Use as input to find mount daemons and avoid portmap.
	# Useful proc numbers are 2, 5, and 6.
	# UDP-scan around between 600-800 to find most mount daemons.
	# Using this with "2", plugged into "nc -u -v -w 2 victim X-Y" will
	# directly scan and dump the current exports when mountd is hit.
	# combine stdout and stderr thru "strings" or something to clean it up

	000 # XID: 4 trash bytes
	001
	002
	003

	000 # CALL: 0
	000
	000
	000

	000 # RPC version: 2
	000
	000
	002

	000 # mount: 100005
	001
	0x86
	0xa5

	000 # mount version: 1
	000
	000
	001

	000 # procedure number -- put what you need here:
	000 # 2 = dump [showmount -e]
	000 # 5 = exportlist [showmount -a]
	xxx # "sed s/xxx/$1/ \| data -g \| nc ..." or some such...

	000 # port: junk
	000
	000
	000

	000 # auth trash
	000
	000
	000

	000 # auth trash
	000
	000
	000

	000 # auth trash
	000
	000
	000

	000 # extra auth trash? probably not needed
	000
	000
	000

	# that's it!