Skip to main content

Enumerating NFS

General Information

  • portmapper and rpcbind run on TCP 111
  • rpcbind maps RPC services to their listening ports
  • RPC processes notify rpcbind of the following when they start:
    • Ports they're listening on
    • RPC program numbers they expect to serve
  • A client then contacts rpcbind with a particular program number
    • rpcbind redirects the client to the proper TCP port so they can communicate
    • NFS listens on TCP 2049, which is where rpcbind would redirect the client


Enumeration

NMAP

sudo nmap -sV -p111 --script=rpcinfo <target(s)>

Use NMAP to list RPC services 

PORT    STATE SERVICE VERSION  
111/tcp open  rpcbind 2-4 (RPC #100000)  
| rpcinfo:    
|   program version    port/proto  service  
|   100000  2,3,4        111/tcp   rpcbind  
|   100000  2,3,4        111/udp   rpcbind  
|   100000  3,4          111/tcp6  rpcbind  
|   100000  3,4          111/udp6  rpcbind  
|   100003  3           2049/udp   nfs  
|   100003  3           2049/udp6  nfs  
|   100003  3,4         2049/tcp   nfs  
|   100003  3,4         2049/tcp6  nfs  
|   100005  1,2,3      39510/udp   mountd  
|   100005  1,2,3      49673/tcp   mountd  
|   100005  1,2,3      58003/udp6  mountd  
|   100005  1,2,3      60221/tcp6  mountd  
|   100021  1,3,4      35587/udp6  nlockmgr  
|   100021  1,3,4      38163/tcp   nlockmgr  
|   100021  1,3,4      44439/tcp6  nlockmgr  
|   100021  1,3,4      52304/udp   nlockmgr  
|   100227  3           2049/tcp   nfs_acl  
|   100227  3           2049/tcp6  nfs_acl  
|   100227  3           2049/udp   nfs_acl  
|_  100227  3           2049/udp6  nfs_acl

The RPC binding allows access to NFS -- tcp/2049 -- on the target

sudo nmap -p111 --script=nfs* <target(s)>

Enumerate NFS details via the RPC binding

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /helpdesk 
| nfs-ls: Volume /helpdesk
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| rwx------   0    0    64    2024-11-02T03:02:00  .
| ??????????  ?    ?    ?     ?                    ..
| rwx------   0    0    2484  2024-11-02T03:01:14  baker.crt
| rwx------   0    0    2029  2024-11-02T03:01:29  baker.key
| rwx------   0    0    3315  2024-11-02T03:01:40  clark.pfx
| rwx------   0    0    3315  2024-11-02T03:01:51  lewis.pfx
| rwx------   0    0    3315  2024-11-02T03:02:00  scott.pfx
|_
| nfs-statfs: 
|   Filesystem  1K-blocks   Used        Available  Use%  Maxfilesize  Maxlink
|_  /helpdesk   21274620.0  17710196.0  3564424.0  84%   16.0T        1023

Output shows an available NFS share with the name /helpdesk along with filenames within

Note the UID and GID of 0 ... This means you need to be root to read the files on the target.

Mounting the Share

mkdir -p /tmp/10.129.77.115/share_name

Make a directory to host the NFS share from the target

sudo mount -o nolock 10.129.77.115:/share_name /tmp/10.129.77.115/share_name

Mount the share from the target to the local directory
The -o nolock option prevents file locking for backwards compatibility

ls -la /tmp/10.129.77.115/share_name

Show contents of the NFS share

image.png

As mentioned above, must be root to list contents due to UID and GID 0 on the remote filesystem

Ensure you unmount the share if you're mapping this share as part of a CTF, if the target's IP changes, or the share becomes unavailable, as this will cause the filesystem to hang if you try and open the mountpoint again.

sudo umount -f /tmp/10.129.77.115/share_name

File Permissions Abuse

More info here -- no_all_squash/no_root_squash

rwx------ 1004 1004 48 Jul 15 04:16 secret.txt

Example of NFS share where squashing file ownership has not been set

How could we try to workaround this permissions restriction?
On our local Kali machine:

    • Create a new temporary user
      • sudo useradd -u 1004 -g 10004 -m -s /bin/bash tempuser
    • su tempuser and login as the new user
    • Try accessing the file in the NFS mount again
Back to top