07 Apr, 2023

Network File System (NFS)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

NFS (Network File System) is a distributed file system protocol that allows a user on a client computer to access files over a network as if those files were stored locally. The protocol was developed by Sun Microsystems in the 1980s and has since become a popular way of sharing files and data across a network of computers.

NFS common ports

Port 2049: This is the default port used for NFS file sharing.

Port 111: This port is used by the portmapper (rpcbind) service, which helps to map RPC (Remote Procedure Call) requests to the appropriate service ports.

Port 32767: This port is used by the lockd service, which provides file locking and unlocking services for NFS file systems.

Port 892: This port is used by the mountd service, which is responsible for mounting and unmounting NFS file systems.

Port 875: This port is used by the rquotad service, which provides disk quota information for NFS file systems.

Standard  commands from unauthorised

mount -t nfs 213.184.24.4:/tmp/open_share /mnt/remote

Recon or Non Standard command

nmap -sV –script=nfs-statfs <target>

Show hosts

showmount  61.218.215.132

List mounts

auxiliary/scanner/nfs/nfsmount

nmap -sV –script=nfs-showmount <target>

showmount -e 213.184.24.4

List both the client hostname or IP address and mounted directory, info can be inaccurate

showmount -a 213.184.24.4 

Try to list files

https://github.com/hegusung/RPCScan

rpc-scan.py <host/host_range> –nfs –recurse 3

and 

mount -t nfs 213.184.24.4:/tmp/open_share /mnt/remote

cd /mnt/remote

ls

cat etc/passwd

cat etc/shadow

cat etc/exports

Null session connection

showmount -e 213.184.24.4

Bruteforce connection

UID spoofing https://github.com/bonsaiviking/NfSpy, reference 

Run exploits

exploit/windows/nfs/xlink_nfsd (unable to find server to test)

exploit/netware/sunrpc/pkernel_callit

https://www.exploit-db.com/exploits/14407

Tools for using protocol NFS

Manual Tools:

  • nfsstat: A command-line tool that displays information about the status of an NFS server.

  • showmount: A command-line tool that displays the list of NFS exports on a server.

  • mount: A command-line tool that mounts an NFS export on a client system.

  • unmount: A command-line tool that unmounts an NFS export from a client system.

  • nfsiostat: A command-line tool that displays I/O statistics for an NFS server.

  • NFSWatch: A tool that monitors NFS traffic and displays it in a user-friendly manner.

  • Autotest-NFS: A tool that automates the testing of NFS file systems and can be used for regression testing.

Automated Tools:

  • NfSpy: A tool that can be used to mount and interact with NFS exports on remote systems.

  • NFSTest: A tool that tests the performance and reliability of NFS file systems.

  • nmap: A network scanner that can be used to discover NFS services and perform basic security checks.

  • Nessus: A vulnerability scanner that can be used to test for security vulnerabilities in NFS servers.

  • OpenVAS: A network vulnerability scanner that includes a module for testing NFS servers.

  • Metasploit Framework: A penetration testing tool that includes modules for testing NFS servers for vulnerabilities.

  • Hydra: A password cracking tool that can be used to crack NFS server passwords.

  • CrackMapExec: A penetration testing tool that can be used to test for vulnerabilities in NFS servers and automate password cracking.

  • NfSen: A tool that provides real-time network traffic analysis for NFS servers.

  • FSlint: A tool that can be used to find and remove duplicate files on NFS file systems.

Last five known CVE for NFS

 CVE-2023-1652: A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.

CVE-2023-0417: Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file 

• CVE-2022-46701: The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges. 

 CVE-2022-46174: efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer&#8217;s local mount points to that customer&#8217;s EFS file systems. This issue is patched in version v1.34.4. There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4 or later. 

• CVE-2022-45101: Dell PowerScale OneFS 9.0.0.x – 9.4.0.x, contains an Improper Handling of Insufficient Privileges vulnerability in NFS. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and remote execution. 

Useful information

– Stands for Network File System and it is a protocol used for sharing files and directories among different systems in a network.

– Originally developed by Sun Microsystems and was released in 1984 as part of their Open Network Computing (ONC) project.

– Network File System uses Remote Procedure Call (RPC) to communicate between the client and server.

– NFS is a stateless protocol, which means that the server does not keep track of the state of the client. This makes it easier to implement load balancing and failover.

– Secured using a variety of authentication mechanisms, such as Kerberos, Secure RPC, and Network Information Service (NIS).

– Latest version of NFS and it provides improved security, performance, and features such as support for file locking and extended attributes.

– Supports the use of IPv6 and provides better support for wide area networks (WANs) and high-latency networks.

– Used on a variety of operating systems, including Linux, Unix, macOS, and Windows.

– Performance can be improved by using dedicated NFS hardware, such as network interface cards (NICs), storage area networks (SANs), and solid-state drives (SSDs).

– Can be used in a variety of scenarios, such as web servers, file servers, and high-performance computing (HPC) clusters.

Known banners

“Welcome to the NFS server” – This banner is typically displayed when connecting to an NFS server.

“rpc.nfsd: server localhost not responding, timed out” – This banner indicates that the NFS server is not responding.

“mountd: authenticated mount request from” – This banner indicates that a mount request has been successfully authenticated.

“RPC: Program not registered” – This banner indicates that the requested NFS program is not registered on the server.

“nfsd: last server has exited, flushing export cache” – This banner indicates that the NFS server has exited and is flushing its export cache.

“rpcinfo: RPC: Program/version mismatch” – This banner indicates that there is a mismatch between the client and server versions of the requested NFS program.

“showmount: RPC: Port mapper failure – RPC: Timed out” – This banner indicates that there is a problem with the port mapper.

“rpc.mountd: getfh failed: Operation not permitted” – This banner indicates that the client does not have the necessary permissions to perform the requested operation.

“nfs: server not responding, still trying” – This banner indicates that the client is still trying to connect to the NFS server.

“mount: RPC: Remote system error” – This banner indicates that there is an error with the remote system when trying to mount an NFS share.

Books for studies the Network File System (NFS) protocol

Implementing NFSv4: The Complete Guide to Network File System by Brent Callaghan – This book provides a comprehensive guide to implementing NFSv4, covering topics like authentication, security, performance tuning, and troubleshooting.

Network File System: Building Scalable and High-Performance Networks by Gary Sims – This book is a practical guide to building scalable and high-performance networks using NFS, covering topics like configuration, tuning, and optimization.

NFS Illustrated by Brent Callaghan – This book provides a detailed explanation of how NFS works, including its protocols, data structures, and algorithms.

Linux NFS and Automounter Administration by Erez Zadok and Amanda Regan – This book is a practical guide to NFS administration on Linux systems, covering topics like configuration, tuning, and security.

Solaris 10 ZFS Essentials by Scott Watanabe and Jeff Victor – This book provides an introduction to ZFS, a filesystem that supports NFS and other protocols, and covers topics like installation, configuration, and management.

NFS Troubleshooting Guide for Sun Solaris by Ranjit Nayak – This book is a troubleshooting guide for NFS issues on Sun Solaris systems, covering topics like NFS configuration, client and server issues, and performance tuning.

NFS and NIS for Linux and UNIX by Brian D. Jepson and Jeremy Reed – This book is a practical guide to using NFS and NIS on Linux and UNIX systems, covering topics like configuration, authentication, and security.

Managing NFS and NIS by Hal Stern, Mike Eisler, and Ricardo Labiaga – This book is a comprehensive guide to managing NFS and NIS environments, covering topics like installation, configuration, security, and performance tuning.

Network File System (NFS) Configuration in AIX 5L by IBM Redbooks – This book is a guide to configuring NFS on AIX 5L systems, covering topics like NFS server and client configuration, security, and troubleshooting.

NFS Configuration and Performance Tuning for HP-UX by HP Education and Training – This book is a guide to configuring and tuning NFS on HP-UX systems, covering topics like NFS server and client configuration, performance tuning, and troubleshooting.

List of Payload for the Network File System (NFS) protocol

  • Read payload: A payload that contains a request to read data from a file or directory on an NFS server.

  • Write payload: A payload that contains a request to write data to a file or directory on an NFS server.

  • File attributes payload: A payload that contains attributes of a file or directory, such as ownership, permissions, and timestamps.

  • Directory listing payload: A payload that contains a list of files and directories in a given directory on an NFS server.

  • Lock payload: A payload that contains a request to lock or unlock a file or portion of a file on an NFS server.

  • Mount payload: A payload that contains a request to mount a file system on an NFS client.

  • Export payload: A payload that contains a list of file systems that are exported by an NFS server.

  • Error payload: A payload that contains an error message in response to an RPC call that failed.

  • Authentication payload: A payload that contains authentication information for a client attempting to access an NFS server.

  • Performance payload: A payload that contains performance data for an NFS server, such as the number of operations per second and the response time for each operation.

Mitigation

  1. NFSv4 includes several security improvements over previous versions of NFS, including stronger authentication mechanisms, support for mandatory access control (MAC) systems, and the ability to encrypt data in transit.

  2. Secure RPC, also known as RPCSEC_GSS, provides authentication and encryption for RPC messages used in NFS. It uses the Generic Security Services Application Programming Interface (GSS-API) to negotiate a secure communication channel between the client and server.

  3. Use strong authentication mechanisms, such as Kerberos or LDAP, to authenticate NFS clients.

  4. Use secure communication channels, such as SSL/TLS or IPSec, to protect NFS traffic from eavesdropping and tampering.

  5. Configure the NFS server to limit access to specific clients or subnets. This can help prevent unauthorized access to NFS resources.

  6. Use access control mechanisms, such as file permissions and access control lists (ACLs), to control access to NFS resources.

  7. Use encryption to protect sensitive data stored on NFS shares. For example, use file-level encryption to protect individual files, or disk-level encryption to protect entire file systems.

  8. Disable root access to NFS shares unless absolutely necessary. This can help prevent attackers from gaining full control of the NFS server.

  9. Keep the NFS server and client software up to date with the latest security patches and updates to address any known vulnerabilities.

  10. Monitor NFS activity for signs of unauthorized access, such as unusual file access patterns or access attempts from unfamiliar IP addresses.

Conclusion

Network File System (NFS) is a widely used protocol for file sharing over a network. However, it can introduce several security risks if not properly secured. By implementing mitigation strategies such as using the latest version of NFS, using strong authentication mechanisms, limiting access to NFS resources, and monitoring NFS activity, organizations can significantly improve the security of their NFS environment. Additionally, it’s important to regularly update NFS software and to use encryption and access control mechanisms to further protect sensitive data. By taking these steps, organizations can mitigate many of the security risks associated with NFS and help ensure the confidentiality, integrity, and availability of their data.

Other Services

Ready to secure?

Let's get in touch