# NFS (Network File System) Pentesting ## NFS (Network File System) Pentesting NFS is a distributed file system protocol that allows a user on a client computer to access files over a computer network much like local storage is accessed. Default ports are 111, 2049. ### Enumeration ``` nmap --script=nfs-ls,nfs-statfs,nfs-showmount -p 111,2049 ``` ### Mounting Folders #### 1. Check if there are folders avaiable to mount in remote machine. ``` showmount -e ``` By the way, If you get error "showmount: command not found", install `nfs-common`. ``` apt-cache search showmount sudo apt install nfs-common ``` #### 2. Mount to local folder If we find a folder available, we can mount it to local folder.\ Create a new folder under **/mnt**. ``` sudo mkdir /mnt/test ``` Now mount a folder. ``` # -t: Type # -o nolock: Option. 'nolock' disables file locking. It's required for older NFS servers. sudo mount -t nfs :/target/dir /mnt/test -o nolock # -o vers=2: sudo mount -t nfs :/target/dir /mnt/test -o nolock -o vers=2 ``` #### 3. Confirm mounting successfully ``` ls /mnt/test ``` #### 4. Clean up the mounted folder after investigation ``` sudo umount /mnt/test sudo rm -r /mnt/test ``` #### ⚠️Folder Permission Bypass ``` ls -al /mnt/ drwx------ 2 1005 1005 4096 Jan 1 00:00 test ``` The permission of the mounted folder is affected by the server's one. If we don't have the permission, we can create a new user with the **same UID/GID** and gain access to the folder. ``` # 1. Create a new group with GID 1005 groupadd -g 1005 tester # 2. Create a new user with UID & GID 1005 useradd -u 1005 -g 1005 tester # 3. Create a new password for `evil` user passwd tester # 4. Switch `evil` user with the password su tester ``` Now since we have a permission of the mounted folder, we can operate this folder.