Links

2049 - Pentesting NFS Service

Basic Information

It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. It has the same purpose as SMB but it cannot talk to SMB.
The NFS protocol has no mechanism for authentication or authorization. The authorization is taken from the available information of the file system where the server is responsible for translating the user information supplied by the client to that of the file system and converting the corresponding authorization information as correctly as possible into the syntax required by UNIX.
The most common authentication is via UNIX UID/GID and group memberships, which is why this syntax is most likely to be applied to the NFS protocol. One problem is that the client and server do not necessarily have to have the same mappings of UID/GID to users and groups. No further checks can be made on the part of the server. This is why NFS should only be used with this authentication method in trusted networks.
Default port: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).
2049/tcp open nfs 2-3 (RPC #100003

Versions

Version
Features
NFSv2
It is older but is supported by many systems and was initially operated entirely over UDP.
NFSv3
It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients.
NFSv4
It includes Kerberos, works through firewalls and on the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol.

Enumeration

Useful nmap scripts

nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share

Useful metasploit modules

scanner/nfs/nfsmount #Scan NFS mounts and list permissions

Mounting

To know which folder has the server available to mount you an ask it using:
showmount -e <IP>
Then mount it using:
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
You should specify to use version 2 because it doesn't have any authentication or authorization.
Example:
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock

Permissions

If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.

NSFShell

To easily list, mount and change UID and GID to have access to files you can use nfsshell.
​Nice NFSShell tutorial.​

Config files

/etc/exports
/etc/lib/nfs/etab

Dangerous settings

Option
Description
rw
Read and write permissions.
insecure
Ports above 1024 will be used.
nohide
If another file system was mounted below an exported directory, this directory is exported by its own exports entry.
no_root_squash
All files created by root are kept with the UID/GID 0.
no_all_squash
​

Privilege Escalation using NFS misconfigurations

HackTricks Automatic Commands

Protocol_Name: NFS #Protocol Abbreviation if there is one.
Port_Number: 2049 #Comma separated if there is more than one.
Protocol_Description: Network File System #Protocol Abbreviation Spelled out
​
Entry_1:
Name: Notes
Description: Notes for NFS
Note: |
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
​
#apt install nfs-common
showmount 10.10.10.180 ~or~showmount -e 10.10.10.180
should show you available shares (example /home)
​
mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
cd /mnt
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
​
https://book.hacktricks.xyz/pentesting/nfs-service-pentesting
​
Entry_2:
Name: Nmap
Description: Nmap with NFS Scripts
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}