The Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local. However, it uses an entirely different protocol.
Default Port: 111,2049
Banner grabbing
nc -nv $IP 111
nc -nv $IP 2049Versions and Variations
While NFS protocol version 3.0 (NFSv3), which has been in use for many years, authenticates the client computer, this changes with NFSv4.
| Version | Features |
|---|---|
NFSv2 | It is older but is supported by many systems and was initially operated entirely over UDP. |
NFSv3 | It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients. |
NFSv4 | It includes Kerberos, works through firewalls and on the Internet. It is also the first version to have a stateful protocol. |
Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
# Default NSE
sudo nmap -sCV -p111,2049 $IP
# Enum with all NSE script
sudo nmap --script=nfs* -sV -p111,2049 $IPMounting
Once such an NFS service is discovered, it can be mounted on a local machine.
# Show available shares
showmount -e $IP
# Mounting the share
mkdir /mnt/nfs-share
sudo mount -t nfs $IP:<remote_directory> /mnt/nfs-share -o nolock
cd /mnt/nfs-share
# List username & group names
ls -l /mnt/nfs-share/
# List UIDs & GUIDs
ls -n /mnt/nfs-share/
# Unmounting the share
sudo umount /mnt/nfs-shareConfig files
# Default configuration
cat /etc/exportsDangerous settings
Some settings can be dangerous for the company and its infrastructure.
| Option | Description |
|---|---|
rw | Read and write permissions. |
insecure | Ports above 1024 will be used. |
nohide | If a file system is mounted beneath an exported directory, it becomes accessible without requiring a separate export entry. |
no_root_squash | All files created by root are kept with the UID/GID 0. |