pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. CERTIFICATIONS
  2. CPTS
  3. 4. Footprinting

NFS

PreviousSMBNextMySQL/MSSQL

Last updated 14 days ago

Network File System

Sun Microsystems: Same purpose as SMB

  • Access file systems over a network as if they were local

  • Uses entirely different protocol. is used between Linux and Unix systems.

    • NFS clients can't communicate directly with SMB servers

    • Internet standard: Governs procedures in a distributed file system

    • NSFv3: Protocol version 3.0 has been in use for many years: Authenticates client pc

    • NFSv4: As with Win SMB, the user must authenticate

NFSv2 Older but supported by many systems: UDP

NFSv3 Variable file size/better error reporting: Not fully compatible with v2

NFDv4 Includes Kerberos, works through firewalls, supports ACLs

  • No portmappers, state-based operations, stateful

  • Performance improvements, Security improvements

NFSv4.1 Protocol support to leverage cluster server deployments

  • pNFS: Parallel access to files distributed across multiple servers

  • Multipathing: Session trunking mechanism

Advantages:

  • Only 1 UDP/TCP p 2049 used to run the service

  • Simplifies use across firewalls ONE-RPC/SUN-RPC:

    • Open Network Computing/RPC protocol on TCP/UDP p 111

    • XDR: External Data Representation: for system-independent exchange of data

    • Auth shifted to RPC protocol's options derived from avail FS info

      • Server is responsible for translating client's info into FS format

      • Converting corresponding auth into UNIX syntax

      • UID/GID/group memberships

Problems: Client/server don't need to have same mappings of UID/GID to users/groups

  • Server doesn't need to do anything and no checks made

  • /etc/exports Contains table of physical FS on NFS server accessible by clients

cat /etc/exports # ACL for FS may be exported to clients
# Example for NFSv2/NFSv3
/srv/homes 
hostname1(rw,sync,no_subtree_check) 
hostname2(ro,sync,no_subtree_check)
# Example for NFSv4:
/srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)

# Default exports file contains examples 
rw # read/write perms
ro # read only perms
sync # sync data xfer (slower)
async # async data xfer (faster)
secure # ports 1024+ not used
insecure # ports 1024+ used
no_subtree_check # disables checking subdir trees
root_squash # assigns all perms of root uid/gid 0 to uid/guid of anon 

# Entry test ExportFS
echo '/mnt/nfs  10.10.10.10/24(sync,no_subtree_check)' >> /etc/exports
systemctl restart nfs-kernel-server 
exportfs
/mnt/nfs      	10.10.10.10/24

Footprinting

  • Ports 111, 2049; Can get info via RPC

sudo nmap 10.10.10.10 -p111,2049 -sV -sC --script nfs* # nse script 

PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100003  3,4         2049/tcp   nfs
|   100005  1,2,3      47217/tcp6  mountd
|   100021  1,3,4      39542/udp   nlockmgr
|   100227  3           2049/tcp6  nfs_acl
2049/tcp open  nfs_acl 3 (RPC #100227)

Once discovered, we can mount to our local machine

  • Create an empty folder the NFS share will be mounted

  • We can navigate it and view the contents just like our local system

  • root_squash is set? Can't edit backup.sh file even as root 

showmount -e 10.10.10.10 # show available NFS shares
mkdir moo-share # create folder to download to
sudo mount -t nfs 10.10.10.10:/ ./moo-share/ -o nolock # mount nfs share 

tree . # list folder structure 
ls -l mnt/nfs/ # list contents with user/group names 
ls -n mnt/nfs/ # list contents with uid/guids 

sudo unmount ./moo-share # unmount share
NFS