NFS Service - Port 2049

Basic info

The Network File System (NFS) allows file sharing across Unix-like systems over a network. While convenient, NFS often exposes sensitive data and trust relationships due to misconfigurations or outdated security models. This guide delivers in-depth methods for discovering, analyzing, and exploiting NFS services during penetration testing engagements.

Identifying NFS Services During Network Reconnaissance

Port Scanning and Service Enumeration

NFS uses the following ports:

• TCP/UDP 2049 – NFS Service

• TCP/UDP 111 – Portmapper (rpcbind)

Run a detailed Nmap scan:

Check for exposed mount points and exports.

Enumerating NFS Exports

Using showmount

Check accessible NFS shares:

Example output:

• * means accessible from any host

• CIDR indicates trusted networks

Bypassing IP-based Access Controls

Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place.

Mounting NFS Shares and Privilege Analysis

Mounting an Export Locally

Check for files with improper permissions or user credentials.

UID/GID Mappings and Root Squashing

By default, NFS applies root squashing: remote root becomes nfsnobody. Check /etc/exports configuration for no_root_squash option:

If no_root_squash is set, root access is preserved, allowing privilege escalation.

Exploiting no_root_squash for Remote Code Execution

Step-by-Step Attack

1. Create a SUID Binary on Mounted Share

2. Trigger Execution on Target If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login.

3. Gain Shell with Root Privileges

Enumerating and Extracting Sensitive Files

Commands to Discover Valuable Files

Look for:

• SSH private keys

• Database credentials

• Password backup files

• Misconfigured .bashrc, .profile, or crontabs