> For the complete documentation index, see [llms.txt](https://docs.wehost.co.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.wehost.co.in/cybersecurity/nfs-attacks.md). # NFS Attacks | **Version** | **Features** | | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `NFSv2` | It is older but is supported by many systems and was initially operated entirely over \[\[UDP]]. | | `NFSv3` | It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients. | | `NFSv4` | It includes \[\[Kerberos]], works through \[\[firewalls]] and on the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol. | * uses Remote Procedure Call (RPC) ### Default Configuration ```shell-session cat /etc/exports ``` ```shell-session # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) ``` | **Option** | **Description** | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | | `rw` | Read and write permissions. | | `ro` | Read only permissions. | | `sync` | Synchronous data transfer. (A bit slower) | | `async` | Asynchronous data transfer. (A bit faster) | | `secure` | Ports above 1024 will not be used. | | `insecure` | Ports above 1024 will be used. | | `no_subtree_check` | This option disables the checking of subdirectory trees. | | `root_squash` | Assigns all permissions to files of root UID/GID 0 to the UID/GID of anonymous, which prevents `root` from accessing files on an NFS mount. | ### Dangerous Settings | **Option** | **Description** | | ---------------- | -------------------------------------------------------------------------------------------------------------------- | | `rw` | Read and write permissions. | | `insecure` | Ports above 1024 will be used. | | `nohide` | If another file system was mounted below an exported directory, this directory is exported by its own exports entry. | | `no_root_squash` | All files created by root are kept with the UID/GID 0. | ### Footprinting the Service * When foot printing NFS, the TCP ports `111` and `2049` are essential #### Nmap * \[\[Nmap]] ```shell-session sudo nmap 10.129.14.128 -p111,2049 -sV -sC ``` ```shell-session Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:12 CEST Nmap scan report for 10.129.14.128 Host is up (0.00018s latency). PORT STATE SERVICE VERSION 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 41982/udp6 mountd | 100005 1,2,3 45837/tcp mountd | 100005 1,2,3 47217/tcp6 mountd | 100005 1,2,3 58830/udp mountd | 100021 1,3,4 39542/udp nlockmgr | 100021 1,3,4 44629/tcp nlockmgr | 100021 1,3,4 45273/tcp6 nlockmgr | 100021 1,3,4 47524/udp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) MAC Address: 00:00:00:00:00:00 (VMware) ``` **Nmap Script Offensive** ```shell-session sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049 ``` ```shell-session Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:37 CEST Nmap scan report for 10.129.14.128 Host is up (0.00021s latency). PORT STATE SERVICE VERSION 111/tcp open rpcbind 2-4 (RPC #100000) | nfs-ls: Volume /mnt/nfs | access: Read Lookup NoModify NoExtend NoDelete NoExecute | PERMISSION UID GID SIZE TIME FILENAME | rwxrwxrwx 65534 65534 4096 2021-09-19T15:28:17 . | ?????????? ? ? ? ? .. | rw-r--r-- 0 0 1872 2021-09-19T15:27:42 id_rsa | rw-r--r-- 0 0 348 2021-09-19T15:28:17 id_rsa.pub | rw-r--r-- 0 0 0 2021-09-19T15:22:30 nfs.share |_ | nfs-showmount: |_ /mnt/nfs 10.129.14.0/24 | nfs-statfs: | Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink |_ /mnt/nfs 30313412.0 8074868.0 20675664.0 29% 16.0T 32000 | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 41982/udp6 mountd | 100005 1,2,3 45837/tcp mountd | 100005 1,2,3 47217/tcp6 mountd | 100005 1,2,3 58830/udp mountd | 100021 1,3,4 39542/udp nlockmgr | 100021 1,3,4 44629/tcp nlockmgr | 100021 1,3,4 45273/tcp6 nlockmgr | 100021 1,3,4 47524/udp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) MAC Address: 00:00:00:00:00:00 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds ``` ### Show Available NFS Shares ```shell-session showmount -e 10.129.14.128 ``` ```shell-session Export list for 10.129.14.128: /mnt/nfs 10.129.14.0/24 ``` ### Mounting NFS Share ```shell-session mkdir target-NFS ``` ```shell-session sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock ``` ```shell-session cd target-NFS tree . ``` ### List Contents with Usernames & Group Names ```shell-session ls -l mnt/nfs/ ``` ```shell-session total 16 -rw-r--r-- 1 cry0l1t3 cry0l1t3 1872 Sep 25 00:55 cry0l1t3.priv -rw-r--r-- 1 cry0l1t3 cry0l1t3 348 Sep 25 00:55 cry0l1t3.pub -rw-r--r-- 1 root root 1872 Sep 19 17:27 id_rsa -rw-r--r-- 1 root root 348 Sep 19 17:28 id_rsa.pub -rw-r--r-- 1 root root 0 Sep 19 17:22 nfs.share ``` ### List Contents with UIDs & GUIDs ```shell-session ls -n mnt/nfs/ ``` ```shell-session total 16 -rw-r--r-- 1 1000 1000 1872 Sep 25 00:55 cry0l1t3.priv -rw-r--r-- 1 1000 1000 348 Sep 25 00:55 cry0l1t3.pub -rw-r--r-- 1 0 1000 1221 Sep 19 18:21 backup.sh -rw-r--r-- 1 0 0 1872 Sep 19 17:27 id_rsa -rw-r--r-- 1 0 0 348 Sep 19 17:28 id_rsa.pub -rw-r--r-- 1 0 0 0 Sep 19 17:22 nfs.share ``` ### Unmounting ```shell-session sudo umount ./target-NFS ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wehost.co.in/cybersecurity/nfs-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.