2049 Pentesting NFS Service
Basic Information
它是一个客户端/服务器系统,允许用户通过网络访问文件并将它们当作驻留在本地文件目录中一样对待。
与 SMB 具有相同的用途,但不能与 SMB 通信。
NFS 协议没有身份验证或授权机制。授权取自文件系统的可用信息,服务器负责将客户端提供的用户信息翻译成文件系统的用户信息,并尽可能正确地将相应的授权信息转换成UNIX要求的语法。
最常见的身份验证是通过 UNIX UID/GID 和组成员身份进行的,这就是此语法最有可能应用于 NFS 协议的原因。
一个问题是客户端和服务器不一定必须具有相同的 UID/GID 到用户和组的映射。服务器端无法进行进一步检查。这就是为什么 NFS 只应在受信任的网络中与此身份验证方法一起使用。
默认端口:2049/TCP/UDP(版本4除外,它只需要TCP或UDP)。
2049/tcp open nfs 2-3 (RPC #100003
Version
(From https://academy.hackthebox.com/module/112/section/1068) ![[Pasted image 20221119161928.png]]
Enumeration
Useful nmap scripts
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
Useful metasploit moudles
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
Mounting
查询哪个文件夹可以挂载到服务器
showmount -e <IP>
之后选择挂载
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
应该指定 2 版本,没有认证机制
Example
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
Permissions
如果挂载的文件夹只能由特定 uid 用户访问,则可以在本地创建该 uid 的用户进行访问。
NSFShell
nfsshell. Nice NFSShell tutorial. 使用 shell 快捷操作
配置文件
/etc/exports
/etc/lib/nfs/etab
Dangerous(危险) Setting
(From https://academy.hackthebox.com/module/112/section/1068) ![[Pasted image 20221119161643.png]]
Privilege Escalation using NFS misconfigurations(错误配置)
NFS no_root_squash and no_all_squash privilege escalation
HackTricks Automatic Commands
Protocol_Name: NFS #Protocol Abbreviation if there is one.
Port_Number: 2049 #Comma separated if there is more than one.
Protocol_Description: Network File System #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for NFS
Note: |
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
#apt install nfs-common
showmount 10.10.10.180 ~or~showmount -e 10.10.10.180
should show you available shares (example /home)
mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
cd /mnt
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
https://book.hacktricks.xyz/pentesting/nfs-service-pentesting
Entry_2:
Name: Nmap
Description: Nmap with NFS Scripts
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}