How To Enumerate And Exploit NFS Shares

Network File System (NFS) shares are the Linux version of Windows SMB shares. These are used for Unix-based machines to share files with each other. Mounting an NFS share allows the remote client to view the files as if they were viewing them locally on the same system.

In this tutorial you will learn how to enumerate and exploit NFS shares. Let’s cover some NFS basics:

• Allows remote file sharing locally between Unix-based systems.
• Uses the server-client architecture to allow communication.
• Created in the 1980s.

Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.

Setup Vulnerable NFS Share

Part of the ethical hacking course Become An Ethical Hacker (which comes with a free Youtube tutorial video guide by the way) is setting up a vulnerable ethical hacking lab testlab.local which includes a vulnerable NFS share.

Setting up and attacking a vulnerable NFS share is missing from a lot of ethical hacking training, this is usually because the “Cybersecurity Bootcamp” that overcharges its customers taking it has people who have no idea what they are doing running the show.

The bottom line is you need to know how to exploit NFS shares in order to become an ethical hacker, that is all there is to it. NFS is not going away anytime soon.

Short version: I created a directory named vuln_share_nfs and set some really insecure settings in it. Then I copied an RSA private and public key over to the directory so that NFS will share these files.root@beh-VirtualBox:/home/dillon/.ssh# cp id_rsa /mnt/vuln_share_nfs/id_rsa

Using the sudoedit command, you should use this when editing system files owned by root…I then used it on the file that handles NFS share, /etc/exports beh@beh-VirtualBox:/mnt/vuln_share_nfs$ sudoedit /etc/exports.

Let’s cover the important details here. /mnt/vuln_share_nfs defines the share name and location along with some permissions.

Recon The Target

An nmap scan confirms that NFS is open on the target, port 2049. There’s also WordPress running which I exploit in this tutorial.

Like Offensive Security says, enumeration is key. How do you enumerate NFS shares? There are two commands to use here, showmount 10.0.0.77 and showmount -e 10.0.0.77 with two different outputs. As you can guess, an empty output suggests there is nothing to mount. The first shows basic info about the NFS Server and the second shows the available remote NFS shares on the target.

Mount NFS Share

To mount the NFS share I use sudo mount -t nfs 10.0.0.77:/ /mnt -o nolock where /mnt means to mount the shared directory in the local /mnt folder on Kali Linux (client). The -t nfs part means type=NFS pretty simple explanation there. 10.0.0.77:/ is the remote mount we found this during the recon step during NFS enumeration. You could also do sudo mount -t nfs 10.0.0.77:/mnt/vuln_nfs_share /mnt -o nolock as well.

So it looks like there are SSH keys, the filenames gives it away. Looking into the text file it looks like there is a note an admin left for this user dillon. The contents of this text file is a private RSA key. I can use this key to connect to the target as dillon. But let’s not get ahead of ourselves just yet.

To unmount the NFS share use this command: root@kali:/mnt/mnt/vuln_share_nfs# umount -l /mnt where /mnt is the mount location on the Kali machine.

First I move back to /home/kali and create a file with the RSA key. Why not try connecting using the idenity file which should help us avoid putting in a password! I try to connect with ssh [email protected] -i id_rsa but it fails.

Nope! There is an error about permissions being too open for the file so I change them to the right level by using chmod 600 dillon-privkey and give it another go. Still failing! Looks like it wants a passphrase. This was entered by the user when the SSH key pair was first created. They didn’t leave it blank this time it seems.

Crack RSA Key Passphrases

To crack RSA key passphrases I can use John still, but it must be formatted correctly. To do this you have to use ssh2john. Get it with wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py on Kali Linux.

Now I use python3 ssh2john.py dillon_privkey > dillon.hash to format the RSA key into the right format then use john –w=/usr/share/wordlists/rockyou.txt dillon.hash to crack the passphrase which turns out to be a simple one. I then use the passphrase to successfully connect to the target as the user dillon.

This is a good way to escalate privileges and in Linux privilege escalation, anything you can find at all is worth trying.