# NFS (2049, 111)

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

## Nmap

```shell-session
nmap 10.129.14.128 -p111,2049 -sV -sC
```

```shell-session
nmap --script nfs* 10.129.14.128 -sV -p111,2049
```

```
[Apr 05, 2024 - 02:07:39 (EDT)] exegol-CPTS /workspace # locate -r nse$|grep nfs
/usr/share/nmap/scripts/nfs-ls.nse
/usr/share/nmap/scripts/nfs-showmount.nse
/usr/share/nmap/scripts/nfs-statfs.nse
```

## Dangerous settings

| **Option**       | **Description**                                                                                                      |
| ---------------- | -------------------------------------------------------------------------------------------------------------------- |
| `rw`             | Read and write permissions.                                                                                          |
| `insecure`       | Ports above 1024 will be used.                                                                                       |
| `nohide`         | If another file system was mounted below an exported directory, this directory is exported by its own exports entry. |
| `no_root_squash` | All files created by root are kept with the UID/GID 0.                                                               |

## Available NFS Shares

```shell-session
$ showmount -e 10.129.14.128

Export list for 10.129.14.128:
/mnt/nfs 10.129.14.0/24
```

### NXC

```
nxc nfs [IP] --shares
```

```
nxc nfs [IP] --enum-shares
```

{% embed url="<https://x.com/al3x_n3ff/status/1841847132128415930/photo/1>" %}

### NFS Security Tooling

{% embed url="<https://www.hvs-consulting.de/en/nfs-security-identifying-and-exploiting-misconfigurations/>" %}

{% embed url="<https://github.com/hvs-consulting/nfs-security-tooling>" %}

## Mounting NFS share

```shell-session
$ mkdir target-NFS
$ sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock
$ cd target-NFS
$ tree .

.
└── mnt
    └── nfs
        ├── id_rsa
        ├── id_rsa.pub
        └── nfs.share

2 directories, 3 files
```

/!\ fonctionne pas sous Exegol - sous Ubuntu ok:

```
osboxes@osboxes:~/Desktop$ sudo apt-get install nfs-common
osboxes@osboxes:~/Desktop$ sudo mount -t nfs 10.129.202.5:/ ./target-NFS/
osboxes@osboxes:~/Desktop$ tree target-NFS/
target-NFS/
├── mnt
│   └── nfsshare
│       └── flag.txt
└── var
    └── nfs
        └── flag.txt

5 directories, 2 files

```

## **Unmounting**

```shell-session
0xss0rz@htb[/htb]$ cd ..
0xss0rz@htb[/htb]$ sudo umount ./target-NFS
```

If "Device is busy": `sudo umount -l ./Desktop/target-NFS`

## Upload / Download File with NetExec

```
NetExec nfs <ip> --get-file /home/user/Desktop/test/test.txt test.txt
```

```
NetExec nfs <ip> --put-file test2.txt /home/user/Desktop/
```

## NFS Data Extraction

{% content-ref url="/pages/U8eqdKM6nZf8itEk6Q6C" %}
[Network Attacks](/0xss0rz/pentest/internal-pentest/network-attacks.md)
{% endcontent-ref %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="/files/a876wNYE568SJIfTZVxL" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\
  The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.
* [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\
  A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
* [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\
  The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/nfs-2049-111.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.