Network File System (NFS) – port 111 / 2049

Network File System (NFS) is a distributed file system protocol allowing a user on a client computer to access files over a network much like local storage is accessed. NFS is built on the Open Network Computing Remote Procedure Call (ONC RPC) system.

Portmapper and RPCbind run on TCP port 111.

• Network File System (Wikipedia)

NFS Enumeration

Nmap

See Nmap.

ls -la /usr/share/nmap/scripts/nfs*
ls -la /usr/share/nmap/scripts/rpc*

nmap -Pn -v -p 111,2049 $IP -oG nfs-sweep.txt

nmap -Pn -sV -p 111,2049 --script=rpcinfo $IP

nmap -Pn -p 111,2049 --script nfs* $IP

sudo nmap -Pn -p 111,2049 --script nfs-ls.nse $IP

Showmount

Show mount information for an NFS server.

Show all mount points on a target

List both the client hostname or IP address and mounted directory in host:dir format.

showmount -a $IP

Show all directories on a target

List only the directories mounted by some client.

showmount -d $IP

Show the NFS server’s export list

showmount -e $IP

Mount the NFS

mkdir ~/shared-directory
sudo mount -o nolock $IP:/<sharename> ~/shared-directory -o vers=3
cd ~/shared-directory
ls -la

sudo mount -o nolock $IP:/<sharename> ~/shared-directory -o vers=3,username=domain\username,password=password

With remote port forwarding on 2049 on victim, 127.0.0.1:3049 on Kali.

sudo mount -t nfs -o nolock 127.0.0.1:<sharename> /home/kali/nfs-share -o vers=4,rw,port=3049

List mounts

mount

On Windows

net use * \\X.X.X.X\$SHARENAME

Bypass Permission Denied on files

Add a user with the same UUID as the files.

sudo adduser readnfs
sudo cp /etc/passwd /etc/passwd.back
sudo sed -i -e 's/1001/<UUID>/g' /etc/passwd
cat /etc/passwd | grep readnfs

su readnfs
cat filename.txt

Cleanup tasks

Unmount NFS

sudo umount $IP:/<sharename>

Delete user

sudo userdel -r readnfs