Skip to content

2049 Pentesting NFS Service

Basic Information


它是一个客户端/服务器系统,允许用户通过网络访问文件并将它们当作驻留在本地文件目录中一样对待。

与 SMB 具有相同的用途,但不能与 SMB 通信。

NFS 协议没有身份验证或授权机制。授权取自文件系统的可用信息,服务器负责将客户端提供的用户信息翻译成文件系统的用户信息,并尽可能正确地将相应的授权信息转换成UNIX要求的语法。

最常见的身份验证是通过 UNIX UID/GID 和组成员身份进行的,这就是此语法最有可能应用于 NFS 协议的原因。

一个问题是客户端和服务器不一定必须具有相同的 UID/GID 到用户和组的映射。服务器端无法进行进一步检查。这就是为什么 NFS 只应在受信任的网络中与此身份验证方法一起使用。

默认端口:2049/TCP/UDP(版本4除外,它只需要TCP或UDP)。

2049/tcp open nfs 2-3 (RPC #100003

Version


(From https://academy.hackthebox.com/module/112/section/1068) ![[Pasted image 20221119161928.png]]

Enumeration


Useful nmap scripts

nfs-ls #List NFS exports and check permissions

nfs-showmount #Like showmount -e

nfs-statfs #Disk statistics and info from NFS share

Useful metasploit moudles

scanner/nfs/nfsmount #Scan NFS mounts and list permissions

Mounting

查询哪个文件夹可以挂载到服务器

showmount -e <IP>

之后选择挂载

mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

应该指定 2 版本,没有认证机制

Example

mkdir /mnt/new_back

mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock

Permissions


如果挂载的文件夹只能由特定 uid 用户访问,则可以在本地创建该 uid 的用户进行访问。

NSFShell


nfsshell. Nice NFSShell tutorial. 使用 shell 快捷操作

配置文件


/etc/exports

/etc/lib/nfs/etab

Dangerous(危险) Setting

(From https://academy.hackthebox.com/module/112/section/1068) ![[Pasted image 20221119161643.png]]

Privilege Escalation using NFS misconfigurations(错误配置)


NFS no_root_squash and no_all_squash privilege escalation

HackTricks Automatic Commands


Protocol_Name: NFS #Protocol Abbreviation if there is one.

Port_Number: 2049 #Comma separated if there is more than one.

Protocol_Description: Network File System #Protocol Abbreviation Spelled out

Entry_1:

Name: Notes

Description: Notes for NFS

Note: |

It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

#apt install nfs-common

showmount 10.10.10.180 ~or~showmount -e 10.10.10.180

should show you available shares (example /home)

mount -t nfs -o ver=2 10.10.10.180:/home /mnt/

cd /mnt

nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in

https://book.hacktricks.xyz/pentesting/nfs-service-pentesting

Entry_2:

Name: Nmap

Description: Nmap with NFS Scripts

Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}