2049 - Pentesting NFS Service
Reading time: 9 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory.
Default port: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).
2049/tcp open nfs 2-3 (RPC #100003
Authentication
A notable aspect of this protocol is its usual lack of built-in authentication or authorization mechanisms. Instead, authorization relies on file system information, with the server tasked with accurately translating client-provided user information into the file system's required authorization format, primarily following UNIX syntax.
Authentication commonly relies on UNIX UID
/GID
identifiers and group memberships. However, a challenge arises due to the potential mismatch in UID
/GID
mappings between clients and servers, leaving no room for additional verification by the server. Moreover, these details are sent by the client and trusted by the server, so a rogue client could potentially **impersonate another user sending more privileged uid
and gid
s.
However, note that by default it's not possible to impersonate the UID
0 (root) using NFS. More on this ins the squashing section.
Hosts
For better (or some) authorization, you can specify the hosts that can access the NFS share. This can be done in the Linux /etc/exports
file. For example:
/PATH/TO/EXPORT CLIENT1(OPTIONS1) CLIENT2(OPTIONS2) ...
/media/disk/share 192.168.2.123(rw,sec=krb5p:krb5i)
As you can see, it allows to configure a specific IP or hostname to access the share. Only that address will be able to access the share.
Versions
-
NFSv2: This version is recognized for its broad compatibility with various systems, marking its significance with initial operations predominantly over UDP. Being the oldest in the series, it laid the groundwork for future developments.
-
NFSv3: Introduced with an array of enhancements, NFSv3 expanded on its predecessor by supporting variable file sizes and offering improved error reporting mechanisms. Despite its advancements, it faced limitations in full backward compatibility with NFSv2 clients.
-
NFSv4: A landmark version in the NFS series, NFSv4 brought forth a suite of features designed to modernize file sharing across networks. Notable improvements include the integration of Kerberos for high security, the capability to traverse firewalls and operate over the Internet without the need for portmappers, support for Access Control Lists (ACLs), and the introduction of state-based operations. Its performance enhancements and the adoption of a stateful protocol distinguish NFSv4 as a pivotal advancement in network file sharing technologies.
- Note that it's very weird to find a Linux host NFS supporting kerberos authentication.
Each version of NFS has been developed with the intent to address the evolving needs of network environments, progressively enhancing security, compatibility, and performance.
Squashing
As mentioned previously, NFS will usually trust the client's uid
and gid
to access the files (if kerberos is not used). However, there are some configurations that can be set in the server to change this behavior:
- all_squash: It squashes all accesses mapping every user and group to
nobody
(65534 unsigned / -2 signed). Therefore, everyone isnobody
and no users are used. - root_squash/no_all_squash: This is default on Linux and only squashes access with uid 0 (root). Therefore, any
UID
andGID
are trusted but0
is squashed tonobody
(so no root imperonation is possible). - no_root_squash: This configuration if enabled doesn't even squash the root user. This means that if you mount a directory with this configuration you can access it as root.
Subtree check
Only available on Linux. man(5) exports says: "If a subdirectory of a filesystem is exported, but the whole filesystem isn’t then whenever an NFS request arrives, the server must check not only that the accessed file is in the appropriate filesystem (which is easy) but also that it is in the exported tree (which is harder). This check is called the subtree check."
In Linux the subtree_check
feature is disabled by default.
Enumeration
Showmount
This can be used to get information from an NFSv3 server, like the list of exports, who is allowed to access these exports, and which clients are connected (which may be inaccurate if a client disconnects without telling the server). In NFSv4 clients just directly access the / export and try to access exports from there, failing if it's invalid or unathorized for any reason.
If tools like showmount
or Metasploit modules don't show information from a NFS port, it's potentially a NFSv4 server that doesn't support version 3.
showmount -e <IP>
Useful nmap scripts
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
Useful metasploit modules
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
nfs_analyze
This tool from https://github.com/hvs-consulting/nfs-security-tooling can be used to obtain a lot of data from an NFS server like mounts, supported NFS versions, conencted IPs, and even if it's possible to escape from the exports to other folder sin the FS or if no_root_squash
is enabled.
Mounting
To know which folder has the server available to mount you an ask it using:
showmount -e <IP>
Then mount it using:
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
You should specify to use version 2 because it doesn't have any authentication or authorization.
Example:
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
Attacks
Trusting UID and GID
Ofc, the only problem here is that by default it's not possible to impersonate root (UID
0). However, it's possible to impersonate any other user or if no_root_squash
is enabled you can also impersonate root.
- If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.
- The tool
fuse_nfs
from https://github.com/hvs-consulting/nfs-security-tooling will basically send always the needed UID and GID to access the files.
SUID Privilege Escalation
Check the page:
NFS no_root_squash/no_all_squash misconfiguration PE
Escaping from the exports
In this great article it's possible to see that it's possible to escape from the exports to access other folders in the FS.
Therefore, if an export is exporting a folder that is a subfolder of the whole filesystem it's possible to access files outside the export if subtree_check
disabled. And it's disabled by default in Linux.
For example, if an NFS server is exporting /srv/
and /var/
is in the same filesystem, it's possible to read logs from /var/log/
or store a webshell in /var/www/
.
Moreover, note that by default only the root (0) user is protected from being impersonated (check the Squash section). However, if a file is owned by root but the group is not 0, it's possible to access it. For example, the file /etc/shadow
is owned by root but the group is shadow
(gid 42 on Debian). Therefore, it's possible to read it by default!
The tool nfs_analyze
from https://github.com/hvs-consulting/nfs-security-tooling is built to support this attack against the file systems ext4, xfs, btrfs in the version 3 (it should also be posisble in v4).
NSFShell
To easily list, mount and change UID and GID to have access to files you can use nfsshell.
Config files
/etc/exports
/etc/lib/nfs/etab
Dangerous settings
-
Read and Write Permissions (
rw
): This setting allows both reading from and writing to the file system. It's essential to consider the implications of granting such broad access. -
Use of Insecure Ports (
insecure
): When enabled, this allows the system to utilize ports above 1024. The security of ports above this range can be less stringent, increasing risk. -
Visibility of Nested File Systems (
nohide
): This configuration makes directories visible even if another file system is mounted below an exported directory. Each directory requires its own export entry for proper management. -
Root Files Ownership (
no_root_squash
): With this setting, files created by the root user maintain their original UID/GID of 0, disregarding the principle of least privilege and potentially granting excessive permissions. -
Non-Squashing of All Users (
no_all_squash
): This option ensures that user identities are preserved across the system, which could lead to permission and access control issues if not correctly handled.
Privilege Escalation using NFS misconfigurations
NFS no_root_squash and no_all_squash privilege escalation
HackTricks Automatic Commands
Protocol_Name: NFS #Protocol Abbreviation if there is one.
Port_Number: 2049 #Comma separated if there is more than one.
Protocol_Description: Network File System #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for NFS
Note: |
NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory.
#apt install nfs-common
showmount 10.10.10.180 ~or~showmount -e 10.10.10.180
should show you available shares (example /home)
mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
cd /mnt
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
https://book.hacktricks.wiki/en/network-services-pentesting/nfs-service-pentesting.html
Entry_2:
Name: Nmap
Description: Nmap with NFS Scripts
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.