Skip to main content

Enumerating NFS

General Information

  • portmapper and rpcbind run on TCP 111
  • rpcbind maps RPC services to their listening ports
  • RPC processes notify rpcbind of the following when they start:
    • Ports they're listening on
    • RPC program numbers they expect to serve
  • A client then contacts rpcbind with a particular program number
    • rpcbind redirects the client to the proper TCP port so they can communicate
    • NFS listens on TCP 2049, which is where rpcbind would redirect the client


Enumeration

NMAP

Use NMAP to list RPC services sudo nmap -sV -p111 --script=rpcinfo <target(s)>

Sample Output

PORT    STATE SERVICE VERSION  
111/tcp open  rpcbind 2-4 (RPC #100000)  
| rpcinfo:    
|   program version    port/proto  service  
|   100000  2,3,4        111/tcp   rpcbind  
|   100000  2,3,4        111/udp   rpcbind  
|   100000  3,4          111/tcp6  rpcbind  
|   100000  3,4          111/udp6  rpcbind  
|   100003  3           2049/udp   nfs  
|   100003  3           2049/udp6  nfs  
|   100003  3,4         2049/tcp   nfs  
|   100003  3,4         2049/tcp6  nfs  
|   100005  1,2,3      39510/udp   mountd  
|   100005  1,2,3      49673/tcp   mountd  
|   100005  1,2,3      58003/udp6  mountd  
|   100005  1,2,3      60221/tcp6  mountd  
|   100021  1,3,4      35587/udp6  nlockmgr  
|   100021  1,3,4      38163/tcp   nlockmgr  
|   100021  1,3,4      44439/tcp6  nlockmgr  
|   100021  1,3,4      52304/udp   nlockmgr  
|   100227  3           2049/tcp   nfs_acl  
|   100227  3           2049/tcp6  nfs_acl  
|   100227  3           2049/udp   nfs_acl  
|_  100227  3           2049/udp6  nfs_acl

Further Enumeration on the Output TCP 2049 is open in the output above, indicating NFS is likely running on the target. We can use a wildcard to run a series of nfs scripts against the target. sudo nmap -p111 --script=nfs* <target(s)>

Detecting Available Mounts If a network file share was available on the system, the nfs-showmount script would return it to the output.

PORT	STATE SERVICE
111/TCP open  rpcbind
| nfs-showmount:
|_   /<share-name> <target-IP>/<netmask>

Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds


Mounting a Share

cd /tmp # mount here
mkdir my-mount-name # make a directory to mount to
# The -o nolock option prevents file locking for backwards compatibility
# with older NFS servers
sudo mount -o nolock <target-IP>:/mount my-mount-name
cd my-mount-name
ls -la # Check for any files or folders in the mount

Example of a file permissions workaround

More info here  -- no_all_squash/no_root_squash

How could we try to workaround this permissions restriction? rwx------ 1004 1004 48 Jul 15 04:16 secret.txt

  1. On our local Kali machine
    • Create a new temporary user
      • sudo useradd -u 1004 -g 10004 -m -s /bin/bash tempuser
    • su tempuser and login as the new user
    • Try accessing the file again in the NFS mount again