# Pentesting NFS

## Overview

* Network File System — used for file sharing between Linux/Unix systems
* Ports: TCP/UDP 111 (rpcbind), TCP 2049 (nfs)

## NFS Versions

| Version | Features                                                                                                                                                                                     |
| ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| NFSv2   | Older, initially entirely over UDP                                                                                                                                                           |
| NFSv3   | More features, variable file size, better error reporting, not fully compatible with NFSv2                                                                                                   |
| NFSv4   | Includes Kerberos, works through firewalls/internet, no rpcbind needed, supports ACLs, applies state-based operations, improved performance, high security. First to have stateful protocol. |

## Configuration

* Config file: `/etc/exports`

```
cat /etc/exports
```

### Default Export Options

| Option             | Description                   |
| ------------------ | ----------------------------- |
| rw                 | Read/write                    |
| ro                 | Read only                     |
| sync               | Synchronous transfer          |
| async              | Asynchronous transfer         |
| secure             | Ports below 1024 only         |
| insecure           | Ports above 1024              |
| no\_subtree\_check | Disable subtree checking      |
| root\_squash       | Map root UID/GID to anonymous |

### Dangerous Settings

| Option           | Description                    |
| ---------------- | ------------------------------ |
| rw               | Read/write                     |
| insecure         | High ports allowed             |
| nohide           | Export sub-mounted filesystems |
| no\_root\_squash | Files keep root UID/GID 0      |

### Create NFS Export

```
echo '/mnt/nfs  10.129.14.0/24(sync,no_subtree_check)' >> /etc/exports
systemctl restart nfs-kernel-server
exportfs
```

## Enumeration

### Nmap

```
sudo nmap 10.129.14.128 -p111,2049 -sV -sC
sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049
```

* NSE scripts: `nfs-ls`, `nfs-showmount`, `nfs-statfs`, `rpcinfo`

### Show Shares

```
showmount -e 10.129.14.128
```

## Mounting

```
mkdir target-NFS
sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock
cd target-NFS
tree .
```

### List with Usernames vs UIDs

```
ls -l mnt/nfs/
ls -n mnt/nfs/
```

### Unmount

```
cd ..
sudo umount ./target-NFS
```