# NFS Attacks | **Version** | **Features** | | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `NFSv2` | It is older but is supported by many systems and was initially operated entirely over \[\[UDP]]. | | `NFSv3` | It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients. | | `NFSv4` | It includes \[\[Kerberos]], works through \[\[firewalls]] and on the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol. | * uses Remote Procedure Call (RPC) ### Default Configuration ```shell-session cat /etc/exports ``` ```shell-session # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) ``` | **Option** | **Description** | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | | `rw` | Read and write permissions. | | `ro` | Read only permissions. | | `sync` | Synchronous data transfer. (A bit slower) | | `async` | Asynchronous data transfer. (A bit faster) | | `secure` | Ports above 1024 will not be used. | | `insecure` | Ports above 1024 will be used. | | `no_subtree_check` | This option disables the checking of subdirectory trees. | | `root_squash` | Assigns all permissions to files of root UID/GID 0 to the UID/GID of anonymous, which prevents `root` from accessing files on an NFS mount. | ### Dangerous Settings | **Option** | **Description** | | ---------------- | -------------------------------------------------------------------------------------------------------------------- | | `rw` | Read and write permissions. | | `insecure` | Ports above 1024 will be used. | | `nohide` | If another file system was mounted below an exported directory, this directory is exported by its own exports entry. | | `no_root_squash` | All files created by root are kept with the UID/GID 0. | ### Footprinting the Service * When foot printing NFS, the TCP ports `111` and `2049` are essential #### Nmap * \[\[Nmap]] ```shell-session sudo nmap 10.129.14.128 -p111,2049 -sV -sC ``` ```shell-session Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:12 CEST Nmap scan report for 10.129.14.128 Host is up (0.00018s latency). PORT STATE SERVICE VERSION 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 41982/udp6 mountd | 100005 1,2,3 45837/tcp mountd | 100005 1,2,3 47217/tcp6 mountd | 100005 1,2,3 58830/udp mountd | 100021 1,3,4 39542/udp nlockmgr | 100021 1,3,4 44629/tcp nlockmgr | 100021 1,3,4 45273/tcp6 nlockmgr | 100021 1,3,4 47524/udp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) MAC Address: 00:00:00:00:00:00 (VMware) ``` **Nmap Script Offensive** ```shell-session sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049 ``` ```shell-session Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:37 CEST Nmap scan report for 10.129.14.128 Host is up (0.00021s latency). PORT STATE SERVICE VERSION 111/tcp open rpcbind 2-4 (RPC #100000) | nfs-ls: Volume /mnt/nfs | access: Read Lookup NoModify NoExtend NoDelete NoExecute | PERMISSION UID GID SIZE TIME FILENAME | rwxrwxrwx 65534 65534 4096 2021-09-19T15:28:17 . | ?????????? ? ? ? ? .. | rw-r--r-- 0 0 1872 2021-09-19T15:27:42 id_rsa | rw-r--r-- 0 0 348 2021-09-19T15:28:17 id_rsa.pub | rw-r--r-- 0 0 0 2021-09-19T15:22:30 nfs.share |_ | nfs-showmount: |_ /mnt/nfs 10.129.14.0/24 | nfs-statfs: | Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink |_ /mnt/nfs 30313412.0 8074868.0 20675664.0 29% 16.0T 32000 | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 41982/udp6 mountd | 100005 1,2,3 45837/tcp mountd | 100005 1,2,3 47217/tcp6 mountd | 100005 1,2,3 58830/udp mountd | 100021 1,3,4 39542/udp nlockmgr | 100021 1,3,4 44629/tcp nlockmgr | 100021 1,3,4 45273/tcp6 nlockmgr | 100021 1,3,4 47524/udp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) MAC Address: 00:00:00:00:00:00 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds ``` ### Show Available NFS Shares ```shell-session showmount -e 10.129.14.128 ``` ```shell-session Export list for 10.129.14.128: /mnt/nfs 10.129.14.0/24 ``` ### Mounting NFS Share ```shell-session mkdir target-NFS ``` ```shell-session sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock ``` ```shell-session cd target-NFS tree . ``` ### List Contents with Usernames & Group Names ```shell-session ls -l mnt/nfs/ ``` ```shell-session total 16 -rw-r--r-- 1 cry0l1t3 cry0l1t3 1872 Sep 25 00:55 cry0l1t3.priv -rw-r--r-- 1 cry0l1t3 cry0l1t3 348 Sep 25 00:55 cry0l1t3.pub -rw-r--r-- 1 root root 1872 Sep 19 17:27 id_rsa -rw-r--r-- 1 root root 348 Sep 19 17:28 id_rsa.pub -rw-r--r-- 1 root root 0 Sep 19 17:22 nfs.share ``` ### List Contents with UIDs & GUIDs ```shell-session ls -n mnt/nfs/ ``` ```shell-session total 16 -rw-r--r-- 1 1000 1000 1872 Sep 25 00:55 cry0l1t3.priv -rw-r--r-- 1 1000 1000 348 Sep 25 00:55 cry0l1t3.pub -rw-r--r-- 1 0 1000 1221 Sep 19 18:21 backup.sh -rw-r--r-- 1 0 0 1872 Sep 19 17:27 id_rsa -rw-r--r-- 1 0 0 348 Sep 19 17:28 id_rsa.pub -rw-r--r-- 1 0 0 0 Sep 19 17:22 nfs.share ``` ### Unmounting ```shell-session sudo umount ./target-NFS ```