hacktricks/network-services-pentesting/nfs-service-pentesting.md

# 2049 - Pentesting NFS Service

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## **Basic Information**

**NFS** ni mfumo ulioandaliwa kwa ajili ya **mteja/server** ambao unawawezesha watumiaji kufikia faili kwa urahisi kupitia mtandao kana kwamba faili hizi ziko ndani ya directory ya ndani.

Sifa muhimu ya protokali hii ni ukosefu wa **uthibitishaji** au **mitindo ya ruhusa** iliyojengwa ndani. Badala yake, ruhusa inategemea **taarifa za mfumo wa faili**, ambapo server inawajibika kutafsiri kwa usahihi **taarifa za mtumiaji zilizotolewa na mteja** katika **muundo wa ruhusa** unaohitajika na mfumo wa faili, hasa ikifuatilia **sintaks ya UNIX**.

Uthibitishaji mara nyingi unategemea **vitambulisho vya `UID`/`GID` vya UNIX na uanachama wa vikundi**. Hata hivyo, changamoto inatokea kutokana na uwezekano wa kutofautiana katika **mappings ya `UID`/`GID`** kati ya wateja na servers, na kuacha nafasi ya kuthibitisha zaidi na server. Kwa hivyo, protokali hii inafaa zaidi kutumika ndani ya **mitandao ya kuaminika**, kutokana na kutegemea njia hii ya uthibitishaji.

**Port ya kawaida**: 2049/TCP/UDP (isipokuwa toleo la 4, inahitaji tu TCP au UDP).&#x20;
```
2049/tcp open  nfs     2-3 (RPC #100003
```
### Versions

- **NFSv2**: Toleo hili linatambulika kwa ufanisi wake mpana na mifumo mbalimbali, likionyesha umuhimu wake katika operesheni za awali hasa kupitia UDP. Kwa kuwa **zamani** zaidi katika mfululizo, lilianzisha msingi wa maendeleo ya baadaye.

- **NFSv3**: Imeanzishwa kwa mfululizo wa maboresho, NFSv3 ilipanua juu ya mtangulizi wake kwa kusaidia ukubwa wa faili tofauti na kutoa mifumo bora ya kuripoti makosa. Licha ya maendeleo yake, ilikabiliwa na vikwazo katika ufanisi wa kurudi nyuma kwa wateja wa NFSv2.

- **NFSv4**: Toleo muhimu katika mfululizo wa NFS, NFSv4 ilileta seti ya vipengele vilivyoundwa kuboresha ushirikiano wa faili katika mitandao. Maboresho makubwa ni pamoja na ujumuishaji wa Kerberos kwa **usalama wa juu**, uwezo wa kupita kwenye moto na kufanya kazi juu ya Mtandao bila haja ya portmappers, msaada wa Orodha za Udhibiti wa Ufikiaji (ACLs), na utambulisho wa operesheni za msingi wa hali. Maboresho yake ya utendaji na kupitishwa kwa itifaki ya hali inafanya NFSv4 kuwa maendeleo muhimu katika teknolojia za ushirikiano wa faili mtandaoni.

Kila toleo la NFS limeandaliwa kwa nia ya kukabiliana na mahitaji yanayobadilika ya mazingira ya mtandao, ikiongeza usalama, ufanisi, na utendaji kwa hatua kwa hatua.

## Enumeration

### Useful nmap scripts
```bash
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
```
### Moduli muhimu ya metasploit
```bash
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
```
### Mounting

Ili kujua **ni folda ipi** ambayo seva **inapatikana** kukuwezesha kuikalia, unaweza kuomba kutumia:
```bash
showmount -e <IP>
```
Kisha iunganishi kwa kutumia:
```bash
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
```
Unapaswa kubainisha **kutumia toleo la 2** kwa sababu halina **uthibitishaji** au **idhinisho**.

**Mfano:**
```bash
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
```
## Permissions

Ikiwa unakata folder ambayo ina **faili au folda zinazopatikana tu na mtumiaji fulani** (kwa **UID**). Unaweza **kuunda** **katika** eneo la ndani mtumiaji mwenye **UID** hiyo na kwa kutumia **mtumiaji** huyo utaweza **kupata** faili/folda.

## NSFShell

Ili orodhesha kwa urahisi, kukata na kubadilisha UID na GID ili kupata faili unaweza kutumia [nfsshell](https://github.com/NetDirect/nfsshell).

[Nice NFSShell tutorial.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/)

## Config files
```
/etc/exports
/etc/lib/nfs/etab
```
### Hatari mipangilio

- **Ruhusa za Kusoma na Kuandika (`rw`):** Mipangilio hii inaruhusu kusoma kutoka na kuandika kwenye mfumo wa faili. Ni muhimu kuzingatia athari za kutoa ufikiaji mpana kama huu.

- **Matumizi ya Bandari zisizo Salama (`insecure`):** Wakati imewezeshwa, hii inaruhusu mfumo kutumia bandari zilizo juu ya 1024. Usalama wa bandari zilizo juu ya kiwango hiki unaweza kuwa dhaifu, kuongeza hatari.

- **Uonekano wa Mifumo ya Faili Iliyojificha (`nohide`):** Mipangilio hii inafanya saraka kuonekana hata kama mfumo mwingine wa faili umewekwa chini ya saraka iliyosafirishwa. Kila saraka inahitaji kuingia yake ya usafirishaji kwa usimamizi sahihi.

- **Umiliki wa Faili za Mzazi (`no_root_squash`):** Kwa mipangilio hii, faili zinazoundwa na mtumiaji mzazi zinahifadhi UID/GID yao ya awali ya 0, bila kuzingatia kanuni ya haki ndogo na huenda ikatoa ruhusa nyingi kupita kiasi.

- **Kutoondoa Mzigo wa Watumiaji Wote (`no_all_squash`):** Chaguo hili linahakikisha kwamba vitambulisho vya watumiaji vinahifadhiwa katika mfumo mzima, ambavyo vinaweza kusababisha matatizo ya ruhusa na udhibiti wa ufikiaji ikiwa hayatatuliwa vizuri.

## Kuinua Haki kwa kutumia makosa ya NFS

[NFS no\_root\_squash na no\_all\_squash kuinua haki](../linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md)

## HackTricks Amri za Otomatiki
```
Protocol_Name: NFS    #Protocol Abbreviation if there is one.
Port_Number:  2049     #Comma separated if there is more than one.
Protocol_Description: Network File System         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for NFS
Note: |
NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory.

#apt install nfs-common
showmount 10.10.10.180      ~or~showmount -e 10.10.10.180
should show you available shares (example /home)

mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
cd /mnt
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in

https://book.hacktricks.xyz/pentesting/nfs-service-pentesting

Entry_2:
Name: Nmap
Description: Nmap with NFS Scripts
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}