hacktricks/network-services-pentesting/nfs-service-pentesting.md

151 lines
8.7 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# 2049 - Pentesting NFS Service
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-10-02 19:15:35 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-02-08 21:36:15 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2022-12-05 22:29:21 +00:00
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 13:25:53 +00:00
## **Basic Information**
2024-02-08 21:36:15 +00:00
**NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory.
2024-02-08 21:36:15 +00:00
A notable aspect of this protocol is its lack of built-in **authentication** or **authorization mechanisms**. Instead, authorization relies on **file system information**, with the server tasked with accurately translating **client-provided user information** into the file system's required **authorization format**, primarily following **UNIX syntax**.
2022-10-02 19:15:35 +00:00
2024-02-08 21:36:15 +00:00
Authentication commonly relies on **UNIX `UID`/`GID` identifiers and group memberships**. However, a challenge arises due to the potential mismatch in **`UID`/`GID` mappings** between clients and servers, leaving no room for additional verification by the server. Consequently, the protocol is best suited for use within **trusted networks**, given its reliance on this method of authentication.
2022-10-02 19:15:35 +00:00
**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).&#x20;
2022-05-01 13:25:53 +00:00
```
2049/tcp open nfs 2-3 (RPC #100003
```
2022-10-02 19:15:35 +00:00
### Versions
2024-02-08 21:36:15 +00:00
- **NFSv2**: This version is recognized for its broad compatibility with various systems, marking its significance with initial operations predominantly over UDP. Being the **oldest** in the series, it laid the groundwork for future developments.
2022-10-02 19:15:35 +00:00
2024-02-08 21:36:15 +00:00
- **NFSv3**: Introduced with an array of enhancements, NFSv3 expanded on its predecessor by supporting variable file sizes and offering improved error reporting mechanisms. Despite its advancements, it faced limitations in full backward compatibility with NFSv2 clients.
- **NFSv4**: A landmark version in the NFS series, NFSv4 brought forth a suite of features designed to modernize file sharing across networks. Notable improvements include the integration of Kerberos for **high security**, the capability to traverse firewalls and operate over the Internet without the need for portmappers, support for Access Control Lists (ACLs), and the introduction of state-based operations. Its performance enhancements and the adoption of a stateful protocol distinguish NFSv4 as a pivotal advancement in network file sharing technologies.
Each version of NFS has been developed with the intent to address the evolving needs of network environments, progressively enhancing security, compatibility, and performance.
2022-10-02 19:15:35 +00:00
2022-05-01 13:25:53 +00:00
## Enumeration
2022-05-01 13:25:53 +00:00
### Useful nmap scripts
```bash
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
```
2022-05-01 13:25:53 +00:00
### Useful metasploit modules
```bash
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
```
2022-05-01 13:25:53 +00:00
### Mounting
To know **which folder** has the server **available** to mount you an ask it using:
```bash
showmount -e <IP>
```
Then mount it using:
```bash
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
```
You should specify to **use version 2** because it doesn't have **any** **authentication** or **authorization**.
**Example:**
```bash
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
```
2022-05-01 13:25:53 +00:00
## Permissions
2022-05-01 13:25:53 +00:00
If you mount a folder which contains **files or folders only accesible by some user** (by **UID**). You can **create** **locally** a user with that **UID** and using that **user** you will be able to **access** the file/folder.
2022-05-01 13:25:53 +00:00
## NSFShell
To easily list, mount and change UID and GID to have access to files you can use [nfsshell](https://github.com/NetDirect/nfsshell).
[Nice NFSShell tutorial.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/)
2022-05-01 13:25:53 +00:00
## Config files
2022-05-01 13:25:53 +00:00
```
/etc/exports
/etc/lib/nfs/etab
```
2022-10-02 19:15:35 +00:00
### Dangerous settings
2024-02-08 21:36:15 +00:00
- **Read and Write Permissions (`rw`):** This setting allows both reading from and writing to the file system. It's essential to consider the implications of granting such broad access.
- **Use of Insecure Ports (`insecure`):** When enabled, this allows the system to utilize ports above 1024. The security of ports above this range can be less stringent, increasing risk.
- **Visibility of Nested File Systems (`nohide`):** This configuration makes directories visible even if another file system is mounted below an exported directory. Each directory requires its own export entry for proper management.
- **Root Files Ownership (`no_root_squash`):** With this setting, files created by the root user maintain their original UID/GID of 0, disregarding the principle of least privilege and potentially granting excessive permissions.
2022-10-02 19:15:35 +00:00
2024-02-08 21:36:15 +00:00
- **Non-Squashing of All Users (`no_all_squash`):** This option ensures that user identities are preserved across the system, which could lead to permission and access control issues if not correctly handled.
2022-10-02 19:15:35 +00:00
2022-05-01 13:25:53 +00:00
## Privilege Escalation using NFS misconfigurations
2022-05-01 13:25:53 +00:00
[NFS no\_root\_squash and no\_all\_squash privilege escalation](../linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md)
2022-05-01 13:25:53 +00:00
## HackTricks Automatic Commands
2021-08-12 12:55:42 +00:00
2022-05-01 13:25:53 +00:00
```
2021-08-12 12:55:42 +00:00
Protocol_Name: NFS #Protocol Abbreviation if there is one.
Port_Number: 2049 #Comma separated if there is more than one.
Protocol_Description: Network File System #Protocol Abbreviation Spelled out
2021-08-15 17:39:13 +00:00
Entry_1:
Name: Notes
Description: Notes for NFS
Note: |
2024-02-08 21:36:15 +00:00
NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory.
2021-08-15 17:39:13 +00:00
#apt install nfs-common
showmount 10.10.10.180 ~or~showmount -e 10.10.10.180
2021-08-12 12:55:42 +00:00
should show you available shares (example /home)
2021-08-15 17:39:13 +00:00
mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
cd /mnt
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
2021-08-12 12:55:42 +00:00
2021-08-15 17:39:13 +00:00
https://book.hacktricks.xyz/pentesting/nfs-service-pentesting
2021-08-12 12:55:42 +00:00
2021-08-15 17:39:13 +00:00
Entry_2:
Name: Nmap
Description: Nmap with NFS Scripts
2021-09-19 09:07:30 +00:00
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
2021-08-12 12:55:42 +00:00
```
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-10-02 19:15:35 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-02-08 21:36:15 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2022-12-05 22:29:21 +00:00
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>