NFS (Port 2049)
NFS
Network File System (NFS) is a RPC-based file sharing protocol that is often found on Linux machines. To learn more about NFS and RPC, read distributed systems -- example architectures and distributed systems -- remote procedure call.
To share files, system admin needs to configure /etc/exports
to specify which hosts are allowed to communicate with this NFS service. Misconfigurations in /etc/exports
can make NFS vulnerable. There are two scenarios that NFS can be exploited:
Anyone can read the exported files.
The attacker gets a shell on the victim machine and this victim machine is whitelisted.
Once we verify that the NFS is vulnerable, we should try to mount the exported directory to a local directory and read the files in it. Here is a step-by-step guide:
# Step 1: Collect information about the NFS service
$ nmap --script nfs-ls,nfs-showmount,nfs-statfs <ip>
$ showmount -e <ip>
# Step 2: Create a new directory for mounting
$ mkdir /mnt/new_back
# Step 3: Mount the remote directory to our local directory
$ mount -t nfs <ip>:<remote_directory> <local_directory> -o nolock
# Step 4 (optional): Verify if the remote directory was successfully mounted
$ mount
# Step 5: Now the files from the remote directory can be found in /mnt/new_back
$ cd /mnt/new_back && ls -la
Reference
Last updated
Was this helpful?