Network File System (NFS) shares are the Linux version of Windows SMB shares. These are used for Unix-based machines to share files with each other. Mounting an NFS share allows the remote client to view the files as if they were viewing them locally on the same system.
In this tutorial you will learn how to enumerate and exploit NFS shares. Let’s cover some NFS basics:
- Allows remote file sharing locally between Unix-based systems.
- Uses the server-client architecture to allow communication.
- Created in the 1980s.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
Setup Vulnerable NFS Share
Part of the ethical hacking course Become An Ethical Hacker (which comes with a free Youtube tutorial video guide by the way) is setting up a vulnerable ethical hacking lab testlab.local which includes a vulnerable NFS share.
Setting up and attacking a vulnerable NFS share is missing from a lot of ethical hacking training, this is usually because the “Cybersecurity Bootcamp” that overcharges its customers taking it has people who have no idea what they are doing running the show.
The bottom line is you need to know how to exploit NFS shares in order to become an ethical hacker, that is all there is to it. NFS is not going away anytime soon.
Short version: I created a directory named vuln_share_nfs and set some really insecure settings in it. Then I copied an RSA private and public key over to the directory so that NFS will share these files.
Using the sudoedit command, you should use this when editing system files owned by root…I then used it on the file that handles NFS share, /etc/exports
Let’s cover the important details here.
Recon The Target
An nmap scan confirms that NFS is open on the target, port 2049. There’s also WordPress running which I exploit in this tutorial.
Like Offensive Security says, enumeration is key. How do you enumerate NFS shares? There are two commands to use here,
Mount NFS Share
To mount the NFS share I use
So it looks like there are SSH keys, the filenames gives it away. Looking into the text file it looks like there is a note an admin left for this user dillon. The contents of this text file is a private RSA key. I can use this key to connect to the target as dillon. But let’s not get ahead of ourselves just yet.
To unmount the NFS share use this command:
First I move back to /home/kali and create a file with the RSA key. Why not try connecting using the idenity file which should help us avoid putting in a password! I try to connect with
Nope! There is an error about permissions being too open for the file so I change them to the right level by using
Crack RSA Key Passphrases
To crack RSA key passphrases I can use John still, but it must be formatted correctly. To do this you have to use ssh2john. Get it with
Now I use
This is a good way to escalate privileges and in Linux privilege escalation, anything you can find at all is worth trying.