nmap -sV -p 111 --script=rpcinfo $RHOST
# If you find NFS-related services, enumerate those.
nmap -p 111 --script nfs* $RHOST
# RPC numeration
rpcclient -U "" -N 10.10.10.161
> enumdomusers
> enumdomgroups
> querygroup 0x200
> querygoupmem 0x200
> queryuser 0x1f4