1. In the UNIX RPC protocol suite, portmapper is responsible for locating which port number a particular RPC-based service is using. RPC programs are assigned a well-known "RPC program number" rather than well-known ports. In the RPC suite, the only program that is assigned a "well-known" port is the portmapper service at port 111. All the rest obtain a randomly assigned port number when they start up, then tell portmapper which port they are using. For example, the rpc.mountd RPC program is assigned the well-known program number of 100005. When it starts up, it might obtain the port number like 635. It then registers with the local portmapper (on the same machine) and gives it the [100005,635] combination. When a client program whishes to contact rpc.mountd, it first contacts portmapper and asks "where is program 1000005?". Portmapper replies with the current port, at which point the client program proceeds to talk with rpc.mountd on the correct port. Key point: In theory, you must have access to port 111 on the target machine in order to reach any RPC service. Therefore, some firewall administrators block access to port 111 on the mistaken belief that this will protect them. This belief is wrong because while it prevents an intruder from easily finding the target RPC services, they can still hunt for them. Using nmap, an intruder can first do a port scan to find open ports, then use the "NULL proc grinding" feature of nmap to figure out which RPC is listening on that port. Also, sometimes Sun puts another portmapper at a high port (like 32773) From Hacking-Lexicon