search

NFS

hashtag
Network File System - Port 2049

  • Allows a user on a client computer to access files over a network as if it were local

nmap -sV -script=nfs-showmount <tgt>
showmount -e <tgt>

hashtag
NFS - Find and Enum

nmap -v -p 111 10.x.x.0/24 -oG nfs.nmap
cat nfs.nmap | grep 111 | grep -v "Nmap" | awk '{print $2}' > nfs.ip 
nmap -sV -p111 --script=rpcinfo -iL nfs.ip
ls -l /usr/share/nmap/scripts/nfs*
nmap -p111 --script nfs* -iL nfs.ip nfs.enum

hashtag
NFS - Sweep

  • Wildcard NSE didnt work well

  • Better to run NSE individually or as a Loop

> nmap -sV -p111,2049 10.x.x.0/24 -oG nfs.nmap 
> grep open nfs.nmap | cut -d' ' -f2 > nfs.ip 

> nmap -sV -p111,2049 --script=rpcinfo -iL nfs.ip -oN rpc_scripts.nmap
> nmap -sV -p111 --script=nfs* -iL nfs.ip -oN nfs_scripts2.nmap

> for vuln in $(ls -1 /usr/share/nmap/scripts/nfs* | cut -d "/" -f6); 
do nmap -p 111 --script $vuln 10.11.1.72; done

hashtag
NFS Root Squashing

  • Network File System

  • Send a rootbash over NFS with local root impersonating remote root

  • Only works if "no_root_squash" is setup

  • Remote users can: mount/access/create/modify files

  • Default: Created files inherit remote user/group ID

  • Even if not on the NFS server

  • How NFS protects obvious privesc

  • If remote user claims to be root uid=0

  • NFS will squash and treat as a nobody

  • Feature can be disabled!

  • REF: TarBackups

PreviousMySqlNextOracle

Last updated