# NFS

**NFS (Network File System)** is a protocol that allows a system to share directories and files with others over a network. It’s mainly used in internal networks to share files between systems easily.

For example, a company might use NFS to let multiple servers or departments access shared documents or configuration files from a central file server.

* Easy for admins to manage shared files
* Dangerous if misconfigured – attackers can mount and access private files

## Default Ports

* **TCP/UDP 2049** – Main NFS port
* Others include: 111 (rpcbind), 20048 (mountd) depending on version and config

## NFS in Our Lab

We’ve configured NFS on the lab machine with **misconfigurations on purpose**, so you can practice exploiting them.

Here’s what we did:

* Shared a directory: `/srv/nfs/private_data`
* Allowed **anonymous access** to everyone on the network (`*`)
* Made it **read-write** (`rw`)
* Disabled root protection using `no_root_squash` (which lets attackers act as root!)

Inside the shared folder, we added some files like:

* `aws_keys.txt` → fake API keys
* `db_creds.txt` → fake database username/password
* `secret_flag.txt` → contains a flag
* `vpn_config.ovpn`, `user_backup.sql`, etc.

These are meant to look like real, sensitive files a pentester or attacker would love to find.

## Enumeration

The very first thing we do is **scan the target machine** to see if NFS is running. For this, we use the well-known tool `nmap`.

<pre class="language-bash"><code class="lang-bash"><strong>❯ nmap enumlikeapro.nca -T4 -sCV -p 2049
</strong>PORT     STATE SERVICE VERSION
2049/tcp open  nfs     3-4 (RPC #100003)
</code></pre>

If NFS is active, you’ll get output showing that **port 2049 is open** and the service is identified as NFS.

## Enumerating Exported Shares

Once we know NFS is up, the next step is to see **what directories it is sharing with the network**. This is called an “export”.

Use the `showmount` tool to list what’s available:

```
❯ showmount -e enumlikeapro.nca
Export list for enumlikeapro.nca:
/srv/nfs/private_data *
```

Here, `/srv/nfs/private_data` is the directory being shared. The `*` means **it’s shared with everyone — no restriction on IP address**, which is a red flag in terms of security.

## Mounting the NFS Share

Now that we know a shared directory is available, we can **mount it** to our local machine. Mounting is like linking that remote folder to your local system so that you can open and interact with it just like any other directory.

<pre class="language-bash"><code class="lang-bash"><strong># First Create a Directory to Mount the Export
</strong>❯ sudo mkdir /tmp/mount_private_data

<strong># Following command will mount the export to /tmp/mount_private_data directory
</strong>❯ sudo mount -t nfs enumlikeapro.nca:/srv/nfs/private_data /tmp/mount_private_data 
</code></pre>

* This mounts the NFS directory to `/tmp/mount_private_data` on your local machine.
* If the export allows it (like in our misconfigured setup), it will mount without asking for credentials.

Now check the files:

<pre class="language-bash"><code class="lang-bash"><strong>❯ exa /tmp/mount_private_data --tree 
</strong>/tmp/mount_private_data
├── aws_keys.txt
├── config.php
├── db_creds.txt
├── internal_docs.pdf
├── secret_flag.txt
├── user_backup.sql
└── vpn_config.ovpn
</code></pre>

## Interacting with the Files

You can now read and even modify the files:

<pre class="language-bash"><code class="lang-bash"><strong>❯ cat /tmp/mount_private_data/config.php     
</strong>username=admin
password=supersecurepass
</code></pre>

If the share is writable, you can also:

```bash
❯ echo "H4CK3D Y0UUU" > /tmp/mount_private_data/hacked.txt
❯ ls -la /tmp/mount_private_data/hacked.txt               
-rw-rw-r-- 1 rezy rezy 13 May 23 23:40 /tmp/mount_private_data/hacked.txt
```

That’s because of **read-write permissions and lack of root protection** (`no_root_squash`). In this setup, you’re effectively acting as a remote root user — a massive security risk.

Since the NFS share is configured with `no_root_squash`, if we upload a SUID binary that performs malicious actions — such as making `/bin/bash` a SUID binary — we can then access that shell and get an **elevated (root) shell**. There are many such misconfigurations that attackers can use for **privilege escalation**. We'll cover more of these advanced techniques in a later section.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://handbook.ncateam.xyz/reconnaissance/services-enumeration/nfs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.