Physical attacks
Mobile Apps Pentesting
Pentesting

2049 - Pentesting NFS Service

Basic Information

It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

Default port: 2049

2049/tcp open nfs 2-3 (RPC #100003
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

To know which folder has the server available to mount you an ask it using:

showmount -e <IP>

You should specify to use version 2 because it doens't have any authentication or authorization.

More enumeration using RPCBind port.

Example

mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock

Permissions

If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.

NSFShell

To easily list, mount and change UID and GID to have access to files you can use nfsshell.

Nice NFSShell tutorial.

Config files

/etc/exports
/etc/lib/nfs/xtab

Privilege Escalation using NFS misconfigurations

NFS no_root_squash and no_all_squash privilege escalation