9.4 KiB
2049 - Pentesting NFS Service
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Basic Information
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. It has the same purpose as SMB but it cannot talk to SMB.
The NFS protocol has no mechanism for authentication or authorization. The authorization is taken from the available information of the file system where the server is responsible for translating the user information supplied by the client to that of the file system and converting the corresponding authorization information as correctly as possible into the syntax required by UNIX.
The most common authentication is via UNIX UID/GID and group memberships, which is why this syntax is most likely to be applied to the NFS protocol. One problem is that the client and server do not necessarily have to have the same mappings of UID/GID to users and groups. No further checks can be made on the part of the server. This is why NFS should only be used with this authentication method in trusted networks.
Default port: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).
2049/tcp open nfs 2-3 (RPC #100003
Versions
(From https://academy.hackthebox.com/module/112/section/1068)
| Version | Features |
|---|---|
NFSv2 |
It is older but is supported by many systems and was initially operated entirely over UDP. |
NFSv3 |
It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients. |
NFSv4 |
It includes Kerberos, works through firewalls and on the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol. |
Enumeration
Useful nmap scripts
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
Useful metasploit modules
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
Mounting
To know which folder has the server available to mount you an ask it using:
showmount -e <IP>
Then mount it using:
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
You should specify to use version 2 because it doesn't have any authentication or authorization.
Example:
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
Permissions
If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.
NSFShell
To easily list, mount and change UID and GID to have access to files you can use nfsshell.
Config files
/etc/exports
/etc/lib/nfs/etab
Dangerous settings
(From https://academy.hackthebox.com/module/112/section/1068)
| Option | Description |
|---|---|
rw |
Read and write permissions. |
insecure |
Ports above 1024 will be used. |
nohide |
If another file system was mounted below an exported directory, this directory is exported by its own exports entry. |
no_root_squash |
All files created by root are kept with the UID/GID 0. |
no_all_squash |
Privilege Escalation using NFS misconfigurations
NFS no_root_squash and no_all_squash privilege escalation
HackTricks Automatic Commands
Protocol_Name: NFS #Protocol Abbreviation if there is one.
Port_Number: 2049 #Comma separated if there is more than one.
Protocol_Description: Network File System #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for NFS
Note: |
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
#apt install nfs-common
showmount 10.10.10.180 ~or~showmount -e 10.10.10.180
should show you available shares (example /home)
mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
cd /mnt
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
https://book.hacktricks.xyz/pentesting/nfs-service-pentesting
Entry_2:
Name: Nmap
Description: Nmap with NFS Scripts
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.