CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/auxiliary/scanner/nfs/nfsmount.md
Views: 1904
Vulnerable Application
NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version. Installation instructions for NFS can be found for every operating system. The Ubuntu instructions can be used as an example for installing and configuring NFS. The following was done on Kali linux:
apt-get install nfs-kernel-server
Create folders to share and add them to exports (adjust 192.168.1.x as needed):
Restart the service:
service nfs-kernel-server restart
Options
PROTOCOL
Which networking protocol to use. Options are udp
and tcp
. Defaults to udp
.
LHOST
IP to match shares against if Mountable
is true. Defaults to the detected local IP address.
HOSTNAME
Hostname to match shares against if Mountable
is true. Defaults to `` (empty string)
Advanced Options
Mountable
Determine if an export is mountable based on LHOST
and HOSTNAME
. Defaults to true
. Pre 2022 behavior was false
Verification Steps
Install and configure NFS
Start msfconsole
Do:
use auxiliary/scanner/nfs/nfsmount
Do:
run
Scenarios
A run against the configuration from these docs
Another example can be found at this source:
Confirming
Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to verify this configuration issue. The following are other industry tools which can also be used.
nmap
showmount
showmount is a part of the nfs-common
package for debian.
Exploitation
Exploiting this mis-configuration is trivial, however exploitation doesn't necessarily give access (command execution) to the system. If a share is mountable, ie you either are the IP listed in the filter (or could assume it through a DoS), or it is open (*), mounting is trivial. The following instructions were written for Kali linux.
Create a new directory to mount the remote volume to:
mkdir /mnt/remote
Use
mount
to link the remote volume to the local folder:mount -t nfs 127.0.0.1:/tmp/open_share /mnt/remote
The mount and its writability can now be tested:
Write a file:
echo "hello" > /mnt/remote/test
The remote end now has the file locally:
To unmount:
umount /mnt/remote
At this point, its time to hope for a file of value. Maybe code with hardcoded credentials, a passwords.txt
, or an id_rsa
.