InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Network scan and mount points enumeration
  • Mount shares
  • ID spoofing
  • Connected users enumeration
  1. L7

111 / 2049 - NFS

Overview

The Network File System (NFS) is a distributed file system protocol, built on Remote Procedure Call (RPC) and used to share folders and files between computers.

NFS is often used with Unix and Unix-like operating systems. For NFS before version 4, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server.

Network scan and mount points enumeration

The following tools can be used to scan the network for NFS services and enumerate their exposed mount points:

nmap -v -p 111,2049 -sV --script=nfs-showmount.nse -oA nmap_nfs <RANGE | CIDR | HOSTNAME | IP>
msf> use auxiliary/scanner/nfs/nfsmount

showmount --exports <HOSTNAME | IP>

Mount shares

The Linux utility mount can be used to mount a NFS share:

mkdir /tmp/NFS_SHARE

mount -t nfs <HOSTNAME | IP>:<SHARE> /tmp/NFS_SHARE

# Confirm the mounted share
df -k | grep NFS_SHARE

If the following error message is being returned by the mount utility, the nfs-common package must be locally installed on the client system.

mount: /tmp/NFS_SHARE: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.

ID spoofing

For NFS before version 4, the server files access permissions are based on the client system current user id and group id. UID and GUID can thus be spoofed to access any directories and files exposed on the NFS export.

The server may use the root_squash mechanism that will make any requests using the UID or GID 0 (root) to be treated like the nobody user.

# Inside mounted folder
ls -lah
-> drwxr-xr--  3 <UID> <GID>  [...] dir_or_file

useradd -u <UID> tmp_user
su tmp_user

# OR
groupadd -r -g <GID> tmp_group
useradd -G tmp_group <USERNAME>

The NfSpy python script can be used to automate the process, with the advantage of hiding the access by immediately unmounting the share on the server but keeping the file handle:

nfspy -o server=<HOSTNAME | IP>:<SHARE>,hide,allow_other,ro,intr /tmp/NFS_SHARE

Connected users enumeration

The Linux utility showmount can be used to retrieve the active and currently mounted shares and theirs clients:

showmount --all <HOSTNAME | IP>
Previous53 - DNSNext113 - Ident

Last updated 3 years ago