2049 - Pentesting NFS Service
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. It has the same purpose as SMB but it cannot talk to SMB.
The NFS protocol has no mechanism for authentication or authorization. The authorization is taken from the available information of the file system where the server is responsible for translating the user information supplied by the client to that of the file system and converting the corresponding authorization information as correctly as possible into the syntax required by UNIX.
The most common authentication is via UNIX
UID
/GID
and group memberships
, which is why this syntax is most likely to be applied to the NFS protocol. One problem is that the client and server do not necessarily have to have the same mappings of UID/GID to users and groups. No further checks can be made on the part of the server. This is why NFS should only be used with this authentication method in trusted networks.Default port: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).
2049/tcp open nfs 2-3 (RPC #100003
Version | Features |
NFSv2 | It is older but is supported by many systems and was initially operated entirely over UDP. |
NFSv3 | It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients. |
NFSv4 | It includes Kerberos, works through firewalls and on the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol. |
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
To know which folder has the server available to mount you an ask it using:
showmount -e <IP>
Then mount it using:
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
You should specify to use version 2 because it doesn't have any authentication or authorization.
Example:
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.
/etc/exports
/etc/lib/nfs/etab
Option | Description |
rw | Read and write permissions. |
insecure | Ports above 1024 will be used. |
nohide | If another file system was mounted below an exported directory, this directory is exported by its own exports entry. |
no_root_squash | All files created by root are kept with the UID/GID 0. |
no_all_squash | ​ |
Protocol_Name: NFS #Protocol Abbreviation if there is one.
Port_Number: 2049 #Comma separated if there is more than one.
Protocol_Description: Network File System #Protocol Abbreviation Spelled out
​
Entry_1:
Name: Notes
Description: Notes for NFS
Note: |
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
​
#apt install nfs-common
showmount 10.10.10.180 ~or~showmount -e 10.10.10.180
should show you available shares (example /home)
​
mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
cd /mnt
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
​
https://book.hacktricks.xyz/pentesting/nfs-service-pentesting
​
Entry_2:
Name: Nmap
Description: Nmap with NFS Scripts
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!