hacktricks/network-services-pentesting/nfs-service-pentesting.md
2022-12-05 23:29:21 +01:00

9 KiB

2049 - Pentesting NFS Service

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

Basic Information

It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. It has the same purpose as SMB but it cannot talk to SMB.

The NFS protocol has no mechanism for authentication or authorization. The authorization is taken from the available information of the file system where the server is responsible for translating the user information supplied by the client to that of the file system and converting the corresponding authorization information as correctly as possible into the syntax required by UNIX.

The most common authentication is via UNIX UID/GID and group memberships, which is why this syntax is most likely to be applied to the NFS protocol. One problem is that the client and server do not necessarily have to have the same mappings of UID/GID to users and groups. No further checks can be made on the part of the server. This is why NFS should only be used with this authentication method in trusted networks.

Default port: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).

2049/tcp open  nfs     2-3 (RPC #100003

Versions

(From https://academy.hackthebox.com/module/112/section/1068)

Version Features
NFSv2 It is older but is supported by many systems and was initially operated entirely over UDP.
NFSv3 It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients.
NFSv4 It includes Kerberos, works through firewalls and on the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol.

Enumeration

Useful nmap scripts

nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share

Useful metasploit modules

scanner/nfs/nfsmount #Scan NFS mounts and list permissions

Mounting

To know which folder has the server available to mount you an ask it using:

showmount -e <IP>

Then mount it using:

mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

You should specify to use version 2 because it doesn't have any authentication or authorization.

Example:

mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock

Permissions

If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.

NSFShell

To easily list, mount and change UID and GID to have access to files you can use nfsshell.

Nice NFSShell tutorial.

Config files

/etc/exports
/etc/lib/nfs/etab

Dangerous settings

(From https://academy.hackthebox.com/module/112/section/1068)

Option Description
rw Read and write permissions.
insecure Ports above 1024 will be used.
nohide If another file system was mounted below an exported directory, this directory is exported by its own exports entry.
no_root_squash All files created by root are kept with the UID/GID 0.
no_all_squash

Privilege Escalation using NFS misconfigurations

NFS no_root_squash and no_all_squash privilege escalation

HackTricks Automatic Commands

Protocol_Name: NFS    #Protocol Abbreviation if there is one.
Port_Number:  2049     #Comma separated if there is more than one.
Protocol_Description: Network File System         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for NFS
  Note: |
    It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

    #apt install nfs-common
    showmount 10.10.10.180      ~or~showmount -e 10.10.10.180
    should show you available shares (example /home)

    mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
    cd /mnt
    nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in

    https://book.hacktricks.xyz/pentesting/nfs-service-pentesting

Entry_2:
  Name: Nmap
  Description: Nmap with NFS Scripts
  Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥