Network File System (NFS) – port 111 / 2049

Network File System (NFS) is a distributed file system protocol allowing a user on a client computer to access files over a network much like local storage is accessed. NFS is built on the Open Network Computing Remote Procedure Call (ONC RPC) system.

Portmapper and RPCbind run on TCP port 111.

NFS Enumeration

Nmap

See Nmap.

ls -la /usr/share/nmap/scripts/nfs*
ls -la /usr/share/nmap/scripts/rpc*
nmap -Pn -v -p 111,2049 $IP -oG nfs-sweep.txt
nmap -Pn -sV -p 111,2049 --script=rpcinfo $IP
nmap -Pn -p 111,2049 --script nfs* $IP

Requires root privileges or the script will not return expected results.

sudo nmap -Pn -p 111,2049 --script nfs-ls.nse $IP

Showmount

Show mount information for an NFS server.

Show all mount points on a target

List both the client hostname or IP address and mounted directory in host:dir format.

showmount -a $IP

Show all directories on a target

List only the directories mounted by some client.

showmount -d $IP

Show the NFS server’s export list

showmount -e $IP

Mount the NFS

-o vers=3 is used to fix the problem of files showing as “nobody 4294967294”.

mkdir ~/shared-directory
sudo mount -o nolock $IP:/<sharename> ~/shared-directory -o vers=3
cd ~/shared-directory
ls -la
sudo mount -o nolock $IP:/<sharename> ~/shared-directory -o vers=3,username=domain\username,password=password

With remote port forwarding on 2049 on victim, 127.0.0.1:3049 on Kali.

sudo mount -t nfs -o nolock 127.0.0.1:<sharename> /home/kali/nfs-share -o vers=4,rw,port=3049

List mounts

mount

On Windows

To validate 😉

net use * \\X.X.X.X\$SHARENAME

Bypass Permission Denied on files

Add a user with the same UUID as the files.

sudo adduser readnfs
sudo cp /etc/passwd /etc/passwd.back
sudo sed -i -e 's/1001/<UUID>/g' /etc/passwd
cat /etc/passwd | grep readnfs
su readnfs
cat filename.txt

Cleanup tasks

Unmount NFS

sudo umount $IP:/<sharename>

Delete user

-r will delete the user’s home directory

sudo userdel -r readnfs