# 2049 - Pentesting NFS Service

{{#include ../banners/hacktricks-training.md}}

## **Basic Information**

**NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory.

**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).

```
2049/tcp open  nfs     2-3 (RPC #100003
```

### Authentication

A notable aspect of this protocol is its usual lack of built-in **authentication** or **authorization mechanisms**. Instead, authorization relies on **file system information**, with the server tasked with accurately translating **client-provided user information** into the file system's required **authorization format**, primarily following **UNIX syntax**.

Authentication commonly relies on **UNIX `UID`/`GID` identifiers and group memberships**. However, a challenge arises due to the potential mismatch in **`UID`/`GID` mappings** between clients and servers, leaving no room for additional verification by the server. Moreover, these details are sent by the client and trusted by the server, so a rogue client could potentially **impersonate another user sending more privileged `uid` and `gid`s.

**However, note that by default it's not possible to impersonate the `UID` 0 (root) using NFS. More on this ins the squashing section.**

#### Hosts

For better (or some) authorization, you can specify the **hosts** that can access the NFS share. This can be done in the Linux `/etc/exports` file. For example:

```
/PATH/TO/EXPORT      CLIENT1(OPTIONS1) CLIENT2(OPTIONS2) ...
/media/disk/share   192.168.2.123(rw,sec=krb5p:krb5i) 
```

As you can see, it allows to configure a specific **IP** or **hostname** to access the share. Only that address will be able to access the share.

### Versions

- **NFSv2**: This version is recognized for its broad compatibility with various systems, marking its significance with initial operations predominantly over UDP. Being the **oldest** in the series, it laid the groundwork for future developments.

- **NFSv3**: Introduced with an array of enhancements, NFSv3 expanded on its predecessor by supporting variable file sizes and offering improved error reporting mechanisms. Despite its advancements, it faced limitations in full backward compatibility with NFSv2 clients.

- **NFSv4**: A landmark version in the NFS series, NFSv4 brought forth a suite of features designed to modernize file sharing across networks. Notable improvements include the integration of Kerberos for **high security**, the capability to traverse firewalls and operate over the Internet without the need for portmappers, support for Access Control Lists (ACLs), and the introduction of state-based operations. Its performance enhancements and the adoption of a stateful protocol distinguish NFSv4 as a pivotal advancement in network file sharing technologies.
  - Note that it's very weird to find a Linux host NFS supporting kerberos authentication.

Each version of NFS has been developed with the intent to address the evolving needs of network environments, progressively enhancing security, compatibility, and performance.

### Squashing

As mentioned previously, NFS will usually trust the client's `uid` and `gid` to access the files (if kerberos is not used). However, there are some configurations that can be set in the server to **change this behavior**:

- **all_squash**: It squashes all accesses mapping every user and group to **`nobody`** (65534 unsigned / -2 signed). Therefore, everyone is `nobody` and no users are used.
- **root_squash/no_all_squash**: This is default on Linux and **only squashes access with uid 0 (root)**. Therefore, any `UID` and `GID` are trusted but `0` is squashed to `nobody` (so no root imperonation is possible).
- **no_root_squash**: This configuration if enabled doesn't even squash the root user. This means that if you mount a directory with this configuration you can access it as root.

### Subtree check

Only available on Linux. man(5) exports says: "If a subdirectory of a filesystem is exported, but the whole filesystem isn’t then whenever an NFS request arrives, the server must check not only that the accessed file is in the appropriate filesystem (which is easy) but also that it is in the exported tree (which is harder). This check is called the subtree check."

In Linux the **`subtree_check` feature is disabled** by default.

## Enumeration

### Showmount

This can be used to **get information from an NFSv3 server**, like the list of **exports**, who is **allowed to access** these exports, and which clients are connected (which may be inaccurate if a client disconnects without telling the server). 
In **NFSv4 clients just directly access the / export** and try to access exports from there, failing if it's invalid or unathorized for any reason.

If tools like `showmount` or Metasploit modules don't show information from a NFS port, it's potentially a NFSv4 server that doesn't support version 3. 

```bash
showmount -e <IP>
```

### Useful nmap scripts

```bash
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
```

### Useful metasploit modules

```bash
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
```

### nfs_analyze

This tool from [https://github.com/hvs-consulting/nfs-security-tooling](https://github.com/hvs-consulting/nfs-security-tooling) can be used to obtain a lot of data from an NFS server like **mounts**, supported NFS versions, conencted IPs, and even if it's possible to **escape from the exports** to other folder sin the FS or **if `no_root_squash` is enabled**.


## Mounting

To know **which folder** has the server **available** to mount you an ask it using:

```bash
showmount -e <IP>
```

Then mount it using:

```bash
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
```

You should specify to **use version 2** because it doesn't have **any** **authentication** or **authorization**.

**Example:**

```bash
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
```

## Attacks

### Trusting UID and GID

Ofc, the only problem here is that by default it's not possible to impersonate root (`UID` 0). However, it's possible to impersonate any other user or if `no_root_squash` is enabled you can also impersonate root.

- If you mount a folder which contains **files or folders only accesible by some user** (by **UID**). You can **create** **locally** a user with that **UID** and using that **user** you will be able to **access** the file/folder.
- The tool **`fuse_nfs`** from [https://github.com/hvs-consulting/nfs-security-tooling](https://github.com/hvs-consulting/nfs-security-tooling) will basically send always the needed UID and GID to access the files. 

### SUID Privilege Escalation

Check the page:


{{#ref}}
../linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
{{#endref}}

### Escaping from the exports

In this [great article](https://www.hvs-consulting.de/en/nfs-security-identifying-and-exploiting-misconfigurations/) it's possible to see that it's possible to **escape from the exports to access other folders in the FS**.

Therefore, if an export is exporting a folder that is a **subfolder** of the **whole filesystem** it's possible to access files outside the export if **`subtree_check`** disabled. And it's **disabled by default in Linux**.

For example, if an NFS server is exporting `/srv/` and `/var/` is in the same filesystem, it's possible to read logs from `/var/log/` or store a webshell in `/var/www/`.

Moreover, note that by default only the root (0) user is protected from being impersonated (check the Squash section). However, if a file is **owned by root but the group is not 0, it's possible to access it**. For example, the file `/etc/shadow` is owned by root but the group is `shadow` (gid 42 on Debian). Therefore, it's possible to read it by default!

The tool **`nfs_analyze`** from [https://github.com/hvs-consulting/nfs-security-tooling](https://github.com/hvs-consulting/nfs-security-tooling) is built to support this attack against the file systems ext4, xfs, btrfs in the version 3 (it should also be posisble in v4).

### NSFShell

To easily list, mount and change UID and GID to have access to files you can use [nfsshell](https://github.com/NetDirect/nfsshell).

[Nice NFSShell tutorial.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/)

## Config files

```
/etc/exports
/etc/lib/nfs/etab
```

## Dangerous settings

- **Read and Write Permissions (`rw`):** This setting allows both reading from and writing to the file system. It's essential to consider the implications of granting such broad access.

- **Use of Insecure Ports (`insecure`):** When enabled, this allows the system to utilize ports above 1024. The security of ports above this range can be less stringent, increasing risk.

- **Visibility of Nested File Systems (`nohide`):** This configuration makes directories visible even if another file system is mounted below an exported directory. Each directory requires its own export entry for proper management.

- **Root Files Ownership (`no_root_squash`):** With this setting, files created by the root user maintain their original UID/GID of 0, disregarding the principle of least privilege and potentially granting excessive permissions.

- **Non-Squashing of All Users (`no_all_squash`):** This option ensures that user identities are preserved across the system, which could lead to permission and access control issues if not correctly handled.

## Privilege Escalation using NFS misconfigurations

[NFS no_root_squash and no_all_squash privilege escalation](../linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)

## HackTricks Automatic Commands

```
Protocol_Name: NFS    #Protocol Abbreviation if there is one.
Port_Number:  2049     #Comma separated if there is more than one.
Protocol_Description: Network File System         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for NFS
  Note: |
    NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory.

    #apt install nfs-common
    showmount 10.10.10.180      ~or~showmount -e 10.10.10.180
    should show you available shares (example /home)

    mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
    cd /mnt
    nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in

    https://book.hacktricks.wiki/en/network-services-pentesting/nfs-service-pentesting.html

Entry_2:
  Name: Nmap
  Description: Nmap with NFS Scripts
  Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
```

{{#include ../banners/hacktricks-training.md}}