2049 - Pentesting NFS Service

Reading time: 9 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory.

Default port: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).

2049/tcp open  nfs     2-3 (RPC #100003

Authentication

A notable aspect of this protocol is its usual lack of built-in authentication or authorization mechanisms. Instead, authorization relies on file system information, with the server tasked with accurately translating client-provided user information into the file system's required authorization format, primarily following UNIX syntax.

Authentication commonly relies on UNIX UID/GID identifiers and group memberships. However, a challenge arises due to the potential mismatch in UID/GID mappings between clients and servers, leaving no room for additional verification by the server. Moreover, these details are sent by the client and trusted by the server, so a rogue client could potentially **impersonate another user sending more privileged uid and gids.

However, note that by default it's not possible to impersonate the UID 0 (root) using NFS. More on this ins the squashing section.

Hosts

For better (or some) authorization, you can specify the hosts that can access the NFS share. This can be done in the Linux /etc/exports file. For example:

/PATH/TO/EXPORT      CLIENT1(OPTIONS1) CLIENT2(OPTIONS2) ...
/media/disk/share   192.168.2.123(rw,sec=krb5p:krb5i) 

As you can see, it allows to configure a specific IP or hostname to access the share. Only that address will be able to access the share.

Versions

  • NFSv2: This version is recognized for its broad compatibility with various systems, marking its significance with initial operations predominantly over UDP. Being the oldest in the series, it laid the groundwork for future developments.

  • NFSv3: Introduced with an array of enhancements, NFSv3 expanded on its predecessor by supporting variable file sizes and offering improved error reporting mechanisms. Despite its advancements, it faced limitations in full backward compatibility with NFSv2 clients.

  • NFSv4: A landmark version in the NFS series, NFSv4 brought forth a suite of features designed to modernize file sharing across networks. Notable improvements include the integration of Kerberos for high security, the capability to traverse firewalls and operate over the Internet without the need for portmappers, support for Access Control Lists (ACLs), and the introduction of state-based operations. Its performance enhancements and the adoption of a stateful protocol distinguish NFSv4 as a pivotal advancement in network file sharing technologies.

    • Note that it's very weird to find a Linux host NFS supporting kerberos authentication.

Each version of NFS has been developed with the intent to address the evolving needs of network environments, progressively enhancing security, compatibility, and performance.

Squashing

As mentioned previously, NFS will usually trust the client's uid and gid to access the files (if kerberos is not used). However, there are some configurations that can be set in the server to change this behavior:

  • all_squash: It squashes all accesses mapping every user and group to nobody (65534 unsigned / -2 signed). Therefore, everyone is nobody and no users are used.
  • root_squash/no_all_squash: This is default on Linux and only squashes access with uid 0 (root). Therefore, any UID and GID are trusted but 0 is squashed to nobody (so no root imperonation is possible).
  • no_root_squash: This configuration if enabled doesn't even squash the root user. This means that if you mount a directory with this configuration you can access it as root.

Subtree check

Only available on Linux. man(5) exports says: "If a subdirectory of a filesystem is exported, but the whole filesystem isn’t then whenever an NFS request arrives, the server must check not only that the accessed file is in the appropriate filesystem (which is easy) but also that it is in the exported tree (which is harder). This check is called the subtree check."

In Linux the subtree_check feature is disabled by default.

Enumeration

Showmount

This can be used to get information from an NFSv3 server, like the list of exports, who is allowed to access these exports, and which clients are connected (which may be inaccurate if a client disconnects without telling the server).  In NFSv4 clients just directly access the / export and try to access exports from there, failing if it's invalid or unathorized for any reason.

If tools like showmount or Metasploit modules don't show information from a NFS port, it's potentially a NFSv4 server that doesn't support version 3. 

bash
showmount -e <IP>

Useful nmap scripts

bash
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share

Useful metasploit modules

bash
scanner/nfs/nfsmount #Scan NFS mounts and list permissions

nfs_analyze

This tool from https://github.com/hvs-consulting/nfs-security-tooling can be used to obtain a lot of data from an NFS server like mounts, supported NFS versions, conencted IPs, and even if it's possible to escape from the exports to other folder sin the FS or if no_root_squash is enabled.

Mounting

To know which folder has the server available to mount you an ask it using:

bash
showmount -e <IP>

Then mount it using:

bash
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

You should specify to use version 2 because it doesn't have any authentication or authorization.

Example:

bash
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock

Attacks

Trusting UID and GID

Ofc, the only problem here is that by default it's not possible to impersonate root (UID 0). However, it's possible to impersonate any other user or if no_root_squash is enabled you can also impersonate root.

  • If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.
  • The tool fuse_nfs from https://github.com/hvs-consulting/nfs-security-tooling will basically send always the needed UID and GID to access the files.

SUID Privilege Escalation

Check the page:

NFS no_root_squash/no_all_squash misconfiguration PE

Escaping from the exports

In this great article it's possible to see that it's possible to escape from the exports to access other folders in the FS.

Therefore, if an export is exporting a folder that is a subfolder of the whole filesystem it's possible to access files outside the export if subtree_check disabled. And it's disabled by default in Linux.

For example, if an NFS server is exporting /srv/ and /var/ is in the same filesystem, it's possible to read logs from /var/log/ or store a webshell in /var/www/.

Moreover, note that by default only the root (0) user is protected from being impersonated (check the Squash section). However, if a file is owned by root but the group is not 0, it's possible to access it. For example, the file /etc/shadow is owned by root but the group is shadow (gid 42 on Debian). Therefore, it's possible to read it by default!

The tool nfs_analyze from https://github.com/hvs-consulting/nfs-security-tooling is built to support this attack against the file systems ext4, xfs, btrfs in the version 3 (it should also be posisble in v4).

NSFShell

To easily list, mount and change UID and GID to have access to files you can use nfsshell.

Nice NFSShell tutorial.

Config files

/etc/exports
/etc/lib/nfs/etab

Dangerous settings

  • Read and Write Permissions (rw): This setting allows both reading from and writing to the file system. It's essential to consider the implications of granting such broad access.

  • Use of Insecure Ports (insecure): When enabled, this allows the system to utilize ports above 1024. The security of ports above this range can be less stringent, increasing risk.

  • Visibility of Nested File Systems (nohide): This configuration makes directories visible even if another file system is mounted below an exported directory. Each directory requires its own export entry for proper management.

  • Root Files Ownership (no_root_squash): With this setting, files created by the root user maintain their original UID/GID of 0, disregarding the principle of least privilege and potentially granting excessive permissions.

  • Non-Squashing of All Users (no_all_squash): This option ensures that user identities are preserved across the system, which could lead to permission and access control issues if not correctly handled.

Privilege Escalation using NFS misconfigurations

NFS no_root_squash and no_all_squash privilege escalation

HackTricks Automatic Commands

Protocol_Name: NFS    #Protocol Abbreviation if there is one.
Port_Number:  2049     #Comma separated if there is more than one.
Protocol_Description: Network File System         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for NFS
  Note: |
    NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory.

    #apt install nfs-common
    showmount 10.10.10.180      ~or~showmount -e 10.10.10.180
    should show you available shares (example /home)

    mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
    cd /mnt
    nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in

    https://book.hacktricks.wiki/en/network-services-pentesting/nfs-service-pentesting.html

Entry_2:
  Name: Nmap
  Description: Nmap with NFS Scripts
  Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks