Enumerating NFS
Lets Get Started
Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!
What is Enumeration?
Enumeration is defined as "a process which establishes an active connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system." - Infosec Institute. It is a critical phase when considering how to enumerate and exploit a remote machine- as the information you will use to inform your attacks will come from this stage
Requirements
In order to do more advanced enumeration of the NFS server, and shares- we're going to need a few tools. The first of which is key to interacting with any NFS share from your local machine- nfs-common.
NFS-Common
It is important to have this package installed on any machine that uses NFS, either as client or server. It includes programs such as: lockd, statd, showmount, nfsstat, gssd, idmapd and mount.nfs. Primarily, we are concerned with "showmount" and "mount.nfs" as these are going to be most useful to us when it comes to extracting information from the NFS share. If you'd like more information about this package, feel free to read: https://packages.ubuntu.com/xenial/nfs-common. You can install nfs-common using "sudo apt install nfs-common", it is part of the default repositories for most Linux distributions- such as the Kali Remote Machine that is provided to TryHackMe subscribers.
Port Scanning
Port scanning has been covered many times before, so I'll only cover the basics that you need for this room here. If you'd like to learn more about nmap in more detail please have a look at the nmap room.
The first step of enumeration is to conduct a port scan, to find out as much information as you can about the services, open ports and operating system of the target machine. You can go as in depth as you like on this, however I suggest using nmap with the -A and -p- tags.
Mounting NFS shares
Your client’s system needs a directory where all the content shared by the host server in the export folder can be accessed. You can create this folder anywhere on your system. Once you've created this mount point, you can use the "mount" command to connect the NFS share to the mount point on your machine. Like so:
sudo mount -t nfs IP:share /tmp/mount/ -nolock
Let's break this down
Tag
Function
sudo
Run as root
mount
Execute the mount command
-t nfs
Type of device to mount, then specifying that it's NFS
IP:share
The IP Address of the NFS server, and the name of the share we wish to mount
-nolock
Specifies not to use NLM locking
Now we understand our tools, lets get started! Deploy
Conduct a thorough port scan scan of your choosing, how many ports are open? Submit
Which port contains the service we're looking to enumerate? Submit
Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share? Submit
Time to mount the share to our local machine!
First, use "mkdir /tmp/mount" to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.
Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside? Submit
Have a look inside this directory, look at the files. Looks like we're inside a user's home directory... Completed
Interesting! Let's do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server? Submit
Which of these keys is most useful to us? Submit Hint
Copy this file to a different location your local machine, and change the permissions to "600" using "chmod 600 [file]".
Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.
Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N) Submit
Last updated
Was this helpful?