search

2049 - NFS

NFS security is partially based on the remote user mounting the filesystem having the same UID (User ID) and GID (Group ID) as the owner of that share.

We can find a NFS share if we query port 111 (RPC)

NFS security is partially based on the remote user mounting the filesystem having the same UID (User ID) and GID (Group ID) as the owner of that share. Restrictions can also be placed into the /etc/hosts.allow and /etc/hosts.deny files, but we won’t go into that here. Suffice to say, using the UID and GID as a basis for security isn’t the best way of doing it.

hashtag
Show shares:

showmount -e {IP Address}

hashtag
Mount a share:

  • Don't forget to create the share you mounting to (/mnt/nfs)...

mount {IP Address}:/vol/share /mnt/nfs -nolock nfsserver=3

Example:

root@kali:~# mount -t nfs 192.168.0.42:/var/nfs /mnt/test1 -o nolock

*Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)

Using username and password:

mount -t cifs -o ro,domain=[domain],username=[username],password=[password],sec=ntlmv2 //hostnameOrIP/Share /path/to/localdir

Example:

mount -t cifs nfsserver=3 -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs

hashtag
Unmount

root@kali:~# umount -f -l /mnt/test1

hashtag
UID/GID Manipulation

Can use nfsshell or use bash

Add new user with the following commands:

Now we can create ssh keys (ssh-keygen) and able copy the ssh key to the nfs share:

cat ~/.ssh/id_rsa.pub >> /mnt/peter/.ssh/authorized_keys

hashtag
Nfsshell

Link: https://github.com/NetDirect/nfsshellarrow-up-right or nfsshell

Nfsshell is useful for accessing NFS shares without having to create users with the same UID/GID pair as the target exported filesystem

Example:

hashtag
Shell

We can obtain a shell via running the following code:

Previous1521 - Oracle DBNext3306 - MySQL

Last updated