NFS Pentesting Notes

Protocol Overview

Basic Information

• Port: TCP/UDP 2049 (NFS), TCP/UDP 111 (RPC)

• Protocol Type: Application layer

• Purpose: Remote file system mounting and access

• Security: Relies on Unix-style permissions and RPC authentication

Protocol Versions

Initial Enumeration

Port Scanning

# Basic NFS scan
nmap -p111,2049 -sV <target>

# Aggressive scan with scripts
nmap -p111,2049 -sV -sC -A <target>

# All NFS scripts
nmap -p111,2049 --script nfs* <target>

RPC Information Gathering

Share Operations

Listing Shares

Mounting Shares

Common NSE Scripts

Quick Reference Commands

Access Control Bypass

Root Squashing Bypass

Permission Analysis

Configuration Files

Server Configuration

• Main config: /etc/exports

• RPC settings: /etc/default/nfs-kernel-server

• Systemd unit: /lib/systemd/system/nfs-kernel-server.service

Client Configuration

• Mount settings: /etc/fstab

• RPC settings: /etc/default/nfs-common

• Systemd unit: /lib/systemd/system/nfs-client.target

Export Options

Critical Settings

Common Vulnerabilities

1. Configuration Issues

   • no_root_squash enabled

   • Insecure export options

   • World-readable sensitive files

   • Improper access controls

2. Version-specific

   • NFSv2/v3 lack encryption

   • RPC vulnerabilities

   • Authentication bypasses

3. Implementation Issues

   • Race conditions

   • Buffer overflows

   • Arbitrary file access

Post-Exploitation

Information Gathering

Privilege Escalation

Common Status Codes

Best Practices for Pentesting

1. Initial Reconnaissance

   • Identify NFS version

   • List available shares

   • Check mount permissions

   • Analyze export options

2. Deep Enumeration

   • Mount all accessible shares

   • Check file permissions

   • Look for sensitive data

   • Identify misconfigurations

3. Documentation

   • Record available shares

   • Note mount options

   • Document file permissions

   • Save vulnerability evidence

4. Risk Assessment

   • Evaluate export options

   • Check for sensitive data exposure

   • Assess potential for privilege escalation

   • Consider network exposure

5. Common Attack Vectors

   • Root squashing bypass

   • File permission abuse

   • SUID binary creation

   • Sensitive file access

6. Mitigation Recommendations

   • Enable root squashing

   • Use restrictive export options

   • Implement proper access controls

   • Enable encryption (NFSv4)

   • Regular security audits

   • Network segmentation