NFS (Network File System) Pentesting

Last modified: 2023-10-26


NFS is a distributed file system protocol that allows a user on a client computer to access files over a computer network much like local storage is accessed. Default ports are 111, 2049.


nmap --script=nfs-ls,nfs-statfs,nfs-showmount -p 111,2049 <target-ip>

Mounting Folders

1. Check if there are folders avaiable to mount in remote machine.

showmount -e <target-ip>

By the way, If you get error "showmount: command not found", install nfs-common.

apt-cache search showmount
sudo apt install nfs-common

2. Mount to local folder

If we find a folder available, we can mount it to local folder.
Create a new folder under /mnt.

sudo mkdir /mnt/test

Now mount a folder.

# -t: Type
# -o nolock: Option. 'nolock' disables file locking. It's required for older NFS servers.
sudo mount -t nfs <target-ip>:/target/dir /mnt/test -o nolock

# -o vers=2: 
sudo mount -t nfs <target-ip>:/target/dir /mnt/test -o nolock -o vers=2

3. Confirm mounting successfully

ls /mnt/test

4. Clean up the mounted folder after investigation

sudo umount /mnt/test
sudo rm -r /mnt/test

⚠️Folder Permission Bypass

ls -al /mnt/

drwx------ 2 1005 1005 4096 Jan 1 00:00 test

The permission of the mounted folder is affected by the server's one. If we don't have the permission, we can create a new user with the same UID/GID and gain access to the folder.

# 1. Create a new group with GID 1005
groupadd -g 1005 tester

# 2. Create a new user with UID & GID 1005
useradd -u 1005 -g 1005 tester

# 3. Create a new password for `evil` user
passwd tester

# 4. Switch `evil` user with the password
su tester

Now since we have a permission of the mounted folder, we can operate this folder.