NFS (Port 2049)

NFS

Network File System (NFS) is a RPC-based file sharing protocol that is often found on Linux machines. To learn more about NFS and RPC, read distributed systems -- example architectures and distributed systems -- remote procedure call.

To share files, system admin needs to configure /etc/exports to specify which hosts are allowed to communicate with this NFS service. Misconfigurations in /etc/exports can make NFS vulnerable. There are two scenarios that NFS can be exploited:

1. Anyone can read the exported files.

2. The attacker gets a shell on the victim machine and this victim machine is whitelisted.

Once we verify that the NFS is vulnerable, we should try to mount the exported directory to a local directory and read the files in it. Here is a step-by-step guide:

# Step 1: Collect information about the NFS service
$ nmap --script nfs-ls,nfs-showmount,nfs-statfs <ip>
$ showmount -e <ip>

# Step 2: Create a new directory for mounting
$ mkdir /mnt/new_back

# Step 3: Mount the remote directory to our local directory
$ mount -t nfs <ip>:<remote_directory> <local_directory> -o nolock

# Step 4 (optional): Verify if the remote directory was successfully mounted
$ mount

# Step 5: Now the files from the remote directory can be found in /mnt/new_back
$ cd /mnt/new_back && ls -la

Reference

2049 - Pentesting NFS ServiceHackTricks

Pentesting NFS Service