NFS Enumeration
Overview
Network File System (NFS) is a network file system developed by Sun Microsystems with the same purpose as SMB - to access file systems over a network as if they were local. However, it uses an entirely different protocol and is primarily used between Linux and Unix systems.
Key Characteristics:
Uses ONC-RPC/SUN-RPC protocol on TCP/UDP port 111
Main service runs on TCP/UDP port 2049
Uses External Data Representation (XDR) for system-independent data exchange
No built-in authentication mechanism (relies on RPC protocol options)
Authorization derived from file system information
NFS Versions
NFSv2
Older version supported by many systems, initially operated entirely over UDP
NFSv3
More features including variable file size and better error reporting, not fully compatible with NFSv2 clients
NFSv4
Includes Kerberos, works through firewalls, no longer requires portmappers, supports ACLs, state-based operations, performance improvements and high security. First stateful protocol version
NFSv4.1
Protocol support for cluster server deployments, scalable parallel access (pNFS extension), session trunking/NFS multipathing
NFSv4 Advantages:
Only uses one port (2049) - simplifies firewall configuration
Stateful protocol
Better security features
Kerberos authentication support
Default Configuration
NFS configuration is managed through the /etc/exports file, which contains a table of physical filesystems accessible by clients.
Example /etc/exports:
NFS Configuration Options
rw
Read and write permissions
ro
Read only permissions
sync
Synchronous data transfer (slower but safer)
async
Asynchronous data transfer (faster but less safe)
secure
Ports above 1024 will not be used
insecure
Ports above 1024 will be used
no_subtree_check
Disables subdirectory tree checking
root_squash
Maps root UID/GID 0 to anonymous, prevents root access
no_root_squash
All files created by root keep UID/GID 0
nohide
Exports mounted subdirectories with their own entries
Dangerous Settings
β οΈ High-Risk Configurations:
rw
High
Allows write access to shares
insecure
High
Allows ports above 1024 (non-root ports)
no_root_squash
Critical
Preserves root privileges - allows root access
nohide
Medium
Exports mounted subdirectories separately
Enumeration Techniques
1. Port Scanning
2. RPC Information Gathering
3. NFS-Specific Enumeration
4. NFS Share Mounting
5. Content Analysis
Advanced Enumeration
Using Nmap NSE Scripts
Manual RPC Enumeration
Security Issues and Attack Vectors
1. Authentication Bypass
Issue: NFS relies on UID/GID mapping without proper authentication
Impact: Access to files based on numeric user IDs
Exploitation: Create local users with matching UIDs
2. Privilege Escalation
Issue:
no_root_squashconfiguration preserves root privilegesImpact: Root access to NFS shares
Exploitation: Upload SUID binaries, access sensitive files
3. Information Disclosure
Issue: World-readable shares or misconfigured permissions
Impact: Unauthorized access to sensitive data
Exploitation: Mount shares and browse contents
4. File System Manipulation
Issue: Write permissions on critical directories
Impact: Modify system files, plant backdoors
Exploitation: Upload malicious files, modify configurations
Exploitation Examples
UID/GID Manipulation
SUID Binary Upload (when no_root_squash is set)
Enumeration Checklist
Initial Discovery
Share Analysis
Security Assessment
Defensive Measures
Secure Configuration
Best Practices
Use root_squash: Always enable root squashing
Restrict networks: Limit access to specific subnets
Read-only when possible: Use ro for shares that don't need write access
Use secure option: Prevent use of high-numbered ports
Enable sync: Use synchronous writes for data integrity
Regular audits: Monitor NFS configurations and access logs
Monitoring
Cleanup
Last updated