# 2049 - Pentesting NFS Service

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## **Basic Information**

It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. It has the same purpose as SMB but it cannot talk to SMB.

The NFS protocol has **no mechanism for authentication** or **authorization**. The authorization is taken from the available information of the file system where the server is responsible for translating the **user information** supplied by the **client** to that of the **file system** and converting the corresponding authorization information as correctly as possible into the syntax required by UNIX.

The most common **authentication is via UNIX `UID`/`GID` and `group memberships`**, which is why this syntax is most likely to be applied to the NFS protocol. One problem is that the **client** and **server** do **not necessarily** have to have the **same mappings of UID/GID** to users and groups. No further checks can be made on the part of the server. This is why NFS should **only** be used with this authentication method in **trusted networks**.

**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).

```
2049/tcp open  nfs     2-3 (RPC #100003
```

### Versions

(From <https://academy.hackthebox.com/module/112/section/1068>)

| **Version** | **Features**                                                                                                                                                                                                                                                                 |
| ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `NFSv2`     | It is **older** but is supported by many systems and was initially operated entirely over UDP.                                                                                                                                                                               |
| `NFSv3`     | It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients.                                                                                                                                               |
| `NFSv4`     | It includes Kerberos, works through firewalls and on the Internet, **no longer requires portmappers**, supports ACLs, applies state-based operations, and provides performance improvements and high **security**. It is also the first version to have a stateful protocol. |

## Enumeration

### Useful nmap scripts

```bash
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
```

### Useful metasploit modules

```bash
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
```

### Mounting

To know **which folder** has the server **available** to mount you an ask it using:

```bash
showmount -e <IP>
```

Then mount it using:

```bash
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
```

You should specify to **use version 2** because it doesn't have **any** **authentication** or **authorization**.

**Example:**

```bash
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
```

## Permissions

If you mount a folder which contains **files or folders only accesible by some user** (by **UID**). You can **create** **locally** a user with that **UID** and using that **user** you will be able to **access** the file/folder.

## NSFShell

To easily list, mount and change UID and GID to have access to files you can use [nfsshell](https://github.com/NetDirect/nfsshell).

[Nice NFSShell tutorial.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/)

## Config files

```
/etc/exports
/etc/lib/nfs/etab
```

### Dangerous settings

(From <https://academy.hackthebox.com/module/112/section/1068>)

| **Option**       | **Description**                                                                                                      |
| ---------------- | -------------------------------------------------------------------------------------------------------------------- |
| `rw`             | Read and write permissions.                                                                                          |
| `insecure`       | Ports above 1024 will be used.                                                                                       |
| `nohide`         | If another file system was mounted below an exported directory, this directory is exported by its own exports entry. |
| `no_root_squash` | All files created by root are kept with the UID/GID 0.                                                               |
| `no_all_squash`  |                                                                                                                      |

## Privilege Escalation using NFS misconfigurations

[NFS no\_root\_squash and no\_all\_squash privilege escalation](/dashboard/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)

## HackTricks Automatic Commands

```
Protocol_Name: NFS    #Protocol Abbreviation if there is one.
Port_Number:  2049     #Comma separated if there is more than one.
Protocol_Description: Network File System         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for NFS
  Note: |
    It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

    #apt install nfs-common
    showmount 10.10.10.180      ~or~showmount -e 10.10.10.180
    should show you available shares (example /home)

    mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
    cd /mnt
    nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in

    https://book.hacktricks.xyz/pentesting/nfs-service-pentesting

Entry_2:
  Name: Nmap
  Description: Nmap with NFS Scripts
  Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
```

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://breached.gitbook.io/dashboard/network-services-pentesting/nfs-service-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.