# NFS (Port 2049)

## NFS

**Network File System (NFS)** is a **RPC-based** file sharing protocol that is often found on Linux machines. To learn more about NFS and RPC, read [distributed systems -- example architectures](https://www.ctfnote.com/software-development/distributed-systems/system-architecture#example-architectures) and [distributed systems -- remote procedure call](https://www.ctfnote.com/software-development/distributed-systems/remote-procedure-call-rpc#remote-procedure-call).

To share files, system admin needs to configure `/etc/exports` to specify which hosts are allowed to communicate with this NFS service. **Misconfigurations** in `/etc/exports` can make NFS vulnerable. There are **two scenarios** that NFS can be exploited:

1. **Anyone** can read the exported files.
2. The attacker gets a shell on the victim machine and this victim machine is **whitelisted**.

Once we verify that the NFS is vulnerable, we should try to **mount** the exported directory to a local directory and read the files in it. Here is a step-by-step guide:

```
# Step 1: Collect information about the NFS service
$ nmap --script nfs-ls,nfs-showmount,nfs-statfs <ip>
$ showmount -e <ip>

# Step 2: Create a new directory for mounting
$ mkdir /mnt/new_back

# Step 3: Mount the remote directory to our local directory
$ mount -t nfs <ip>:<remote_directory> <local_directory> -o nolock

# Step 4 (optional): Verify if the remote directory was successfully mounted
$ mount

# Step 5: Now the files from the remote directory can be found in /mnt/new_back
$ cd /mnt/new_back && ls -la
```

## Reference

{% embed url="<https://book.hacktricks.xyz/pentesting/nfs-service-pentesting>" %}
Pentesting NFS Service
{% endembed %}