CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/scanner/nfs/nfsmount.md
Views: 1904

Vulnerable Application

NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version. Installation instructions for NFS can be found for every operating system. The Ubuntu instructions can be used as an example for installing and configuring NFS. The following was done on Kali linux:

  1. apt-get install nfs-kernel-server

  2. Create folders to share and add them to exports (adjust 192.168.1.x as needed):

mkdir /tmp/star
echo "/tmp/star    *(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/not_us_hostname
echo "/tmp/not_us_hostname    foo(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/us_hostname
echo "/tmp/us_hostname    bar(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/not_us_ip
echo "/tmp/not_us_ip    1.1.1.1(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/us_ip
echo "/tmp/us_ip    192.168.1.111(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/not_us_subnet
echo "/tmp/not_us_subnet    1.1.1.1/24(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/us_subnet
echo "/tmp/us_subnet    192.168.1.1/24(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/not_us_netmask
echo "/tmp/not_us_netmask    1.1.1.1/255.255.255.0(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/us_netmask
echo "/tmp/us_netmask    192.168.1.1/255.255.255.0(rw,no_subtree_check)" >> /etc/exports
mkdir /tmp/empty
echo "/tmp/empty    (rw,no_subtree_check)" >> /etc/exports

  1. Restart the service: service nfs-kernel-server restart

Options

PROTOCOL

Which networking protocol to use. Options are udp and tcp. Defaults to udp.

LHOST

IP to match shares against if Mountable is true. Defaults to the detected local IP address.

HOSTNAME

Hostname to match shares against if Mountable is true. Defaults to `` (empty string)

Advanced Options

Mountable

Determine if an export is mountable based on LHOST and HOSTNAME. Defaults to true. Pre 2022 behavior was false

Verification Steps

  1. Install and configure NFS

  2. Start msfconsole

  3. Do: use auxiliary/scanner/nfs/nfsmount

  4. Do: run

Scenarios

A run against the configuration from these docs

msf > use auxiliary/scanner/nfs/nfsmount
msf auxiliary(nfsmount) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(nfsmount) > run

[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/empty [*]
[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/star [*]
[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_netmask [10.1.1.1/255.255.255.0]
[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_netmask [1.1.1.1/255.255.255.0]
[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_subnet [10.1.1.1/24]
[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_subnet [1.1.1.1/24]
[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_ip [192.168.1.111]
[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_ip [1.1.1.1]
[*] 127.0.0.1:111       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Another example can be found at this source:

[*] Scanned  24 of 240 hosts (10% complete)
[+] 10.10.xx.xx NFS Export: /data/iso [0.0.0.0/0.0.0.0]
[*] Scanned  48 of 240 hosts (20% complete)
[+] 10.10.xx.xx NFS Export: /DataVolume/Public [*]
[+] 10.10.xx.xx NFS Export: /DataVolume/Download [*]
[+] 10.10.xx.xx NFS Export: /DataVolume/Softshare [*]
[*] Scanned  72 of 240 hosts (30% complete)
[+] 10.10.xx.xx NFS Export: /var/ftp/pub [10.0.0.0/255.255.255.0]
[*] Scanned  96 of 240 hosts (40% complete)
[+] 10.10.xx.xx NFS Export: /common []

Confirming

Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to verify this configuration issue. The following are other industry tools which can also be used.

nmap

nmap -p 111 --script=nfs-showmount 127.0.0.1

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-12 19:41 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000037s latency).
PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|   /tmp/empty *
|   /tmp/star *
|   /tmp/us_netmask 10.1.1.1/255.255.255.0
|   /tmp/not_us_netmask 1.1.1.1/255.255.255.0
|   /tmp/us_subnet 10.1.1.1/24
|   /tmp/not_us_subnet 1.1.1.1/24
|   /tmp/us_ip 192.168.1.111
|_  /tmp/not_us_ip 1.1.1.1

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

showmount

showmount is a part of the nfs-common package for debian.

showmount -e 127.0.0.1
Export list for 127.0.0.1:
/tmp/empty          *
/tmp/star           *
/tmp/us_netmask     10.1.1.1/255.255.255.0
/tmp/not_us_netmask 1.1.1.1/255.255.255.0
/tmp/us_subnet      10.1.1.1/24
/tmp/not_us_subnet  1.1.1.1/24
/tmp/us_ip          192.168.1.111
/tmp/not_us_ip      1.1.1.1

Exploitation

Exploiting this mis-configuration is trivial, however exploitation doesn't necessarily give access (command execution) to the system. If a share is mountable, ie you either are the IP listed in the filter (or could assume it through a DoS), or it is open (*), mounting is trivial. The following instructions were written for Kali linux.

  1. Create a new directory to mount the remote volume to: mkdir /mnt/remote

  2. Use mount to link the remote volume to the local folder: mount -t nfs 127.0.0.1:/tmp/open_share /mnt/remote

The mount and its writability can now be tested:

  1. Write a file: echo "hello" > /mnt/remote/test

  2. The remote end now has the file locally:

cat /tmp/open_share/test 
hello

  1. To unmount: umount /mnt/remote

At this point, its time to hope for a file of value. Maybe code with hardcoded credentials, a passwords.txt, or an id_rsa.