NFS

Port TCP/UDP 2049

Theory

NFS is a distributed file system protocol that allows a user on a client computer to access files over a computer network much like local storage is accessed. Default ports are 111 (RPC Port Mapper) and 2049.

The NFS protocol has no mechanism for authentication or authorization. The authorization is taken from the available information of the file system where the server is responsible for translating the user information supplied by the client to that of the file system and converting the corresponding authorization information as correctly as possible into the syntax required by UNIX.

Practice

Enumeration

Following nmap scripts can be used to enumerate a NFS server

nmap --script=nfs-ls,nfs-statfs,nfs-showmount -p 111,2049 <target-ip>

Enumerate NFS Shares / Mount points

To know which folder has the server available to mount you can use following commands and modules

showmount -e <IP>

This metasploit module can Scan NFS mounts and list permissions

msf5> use scanner/nfs/nfsmount

Mount NFS Shares

If we find a folder available, we can mount it to local folder.

Create a new folder under /mnt

sudo mkdir /mnt/NsfShare

Now mount the folder

# -t: Type
# -o nolock: Option. 'nolock' disables file locking. It's required for older NFS servers.
sudo mount -t nfs <target-ip>:/target/dir /mnt/test -o nolock

# -o vers=2: 
sudo mount -t nfs <target-ip>:/target/dir /mnt/test -o nolock -o vers=2

To confirm or unmount shares, you can use following commands

# Confirm mounting successfully
ls /mnt/test

# Clean up the mounted folder
sudo umount /mnt/test
sudo rm -r /mnt/test

Permissions

The most common authentication is via UNIX UID/GID and group memberships, which is why this syntax is most likely to be applied to the NFS protocol. One problem is that the client and server do not necessarily have to have the same mappings of UID/GID to users and groups. No further checks can be made on the part of the server. This is why NFS should only be used with this authentication method in trusted networks.

If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.

Config files & settings

The NFS server configuration can be found in its local files

/etc/exports
/etc/lib/nfs/etab

Some settings can be dangerous and even allow local privileges escalation:

Option Description

Option	Description
`rw`	Read and write permissions.
`insecure`	Ports above 1024 will be used. in secure mode, forces the client to communicate using a port below 1024, hence proving they are root
`nohide`	If another file system was mounted below an exported directory, this directory is exported by its own exports entry.
`no_root_squash`	All files created by root are kept with the UID/GID 0. See this page.
`no_all_squash`	This is similar to no_root_squash option but applies to non-root users. See this page.

rw

Read and write permissions.

insecure

Ports above 1024 will be used. in secure mode, forces the client to communicate using a port below 1024, hence proving they are root

nohide

If another file system was mounted below an exported directory, this directory is exported by its own exports entry.

no_root_squash

All files created by root are kept with the UID/GID 0. See this page.

no_all_squash

This is similar to no_root_squash option but applies to non-root users. See this page.

Local Privilege Escalation

We can abuse the no_root_squash and no_all_squash NFS configurations, as explained on this page.

pageNFS no_root_squash/no_all_squash

Resources

2049 - Pentesting NFS ServiceHackTricks

NFS (Network File System) Pentesting | Exploit Noteshideckies

Last updated 6 months ago