Network File System (NFS) is a distributed file system protocol allowing a user on a client computer to access files over a network much like local storage is accessed. NFS is built on the Open Network Computing Remote Procedure Call (ONC RPC) system.
Portmapper and RPCbind run on TCP port 111.
- Network File System (Wikipedia)
NFS Enumeration
Nmap
See Nmap.
ls -la /usr/share/nmap/scripts/nfs*
ls -la /usr/share/nmap/scripts/rpc*nmap -Pn -v -p 111,2049 $IP -oG nfs-sweep.txtnmap -Pn -sV -p 111,2049 --script=rpcinfo $IPnmap -Pn -p 111,2049 --script nfs* $IPNOTE: Requires root privileges or the script will not return expected results.
sudo nmap -Pn -p 111,2049 --script nfs-ls.nse $IPShowmount
Show mount information for an NFS server.
Show all mount points on a target
List both the client hostname or IP address and mounted directory in host:dir format.
showmount -a $IPShow all directories on a target
List only the directories mounted by some client.
showmount -d $IPShow the NFS server’s export list
showmount -e $IPMount the NFS
NOTE: -o vers=3 is used to fix the problem of files showing as “nobody 4294967294”.
mkdir ~/shared-directory
sudo mount -o nolock $IP:/<sharename> ~/shared-directory -o vers=3
cd ~/shared-directory
ls -lasudo mount -o nolock $IP:/<sharename> ~/shared-directory -o vers=3,username=domain\username,password=passwordWith remote port forwarding on 2049 on victim, 127.0.0.1:3049 on Kali.
sudo mount -t nfs -o nolock 127.0.0.1:<sharename> /home/kali/nfs-share -o vers=4,rw,port=3049List mounts
mountOn Windows
To validate 😉
net use * \\X.X.X.X\$SHARENAMEBypass Permission Denied on files
Add a user with the same UUID as the files.
sudo adduser readnfs
sudo cp /etc/passwd /etc/passwd.back
sudo sed -i -e 's/1001/<UUID>/g' /etc/passwd
cat /etc/passwd | grep readnfssu readnfs
cat filename.txtCleanup tasks
Unmount NFS
sudo umount $IP:/<sharename>Delete user
NOTE: -r will delete the user’s home directory
sudo userdel -r readnfs