NFS Enumeration

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
NFS enumeration
00:03
are learning objectives are to understand what NFS is used for and demonstrate how to enumerate nFS.
00:09
So NFS stands for network file system was developed back in 1984 by Sun Microsystems is kind of like SMB in that it allows you to interact remotely with directories and files on a remote host.
00:26
Um You can also mount it to your file system, which I'll demonstrate later.
00:31
Uh so it's an open standard. Um anyone can use it and we have a bunch of different tools we can use to enumerate the service as you can see here. We're using Rpc info and we're looking at the different ports, so, you know, we can use End Map as well. But here rpc info is telling us some ports that
00:51
are in use by NFS
00:54
and you'll see both TCP and udp.
00:58
Mhm.
01:00
All right. Like I said, um you know, we use SMB client for SMB here, we're actually mounting the shares directly onto our machine are Cali machine
01:12
and you can see here we're using show mount tak E to see which which directories that we have access to. In this case we have access to all of them. And I'll say please pay attention because you're actually gonna be using this in the lab.
01:26
So once you show mountain, you can see which directories you can mount. Then what you're going to do is you're going to make a directory in your mount directory. Um actually mount that share um onto your machine and then you actually have access to that remote system.
01:49
So then what you can do is once you have access to that remote system you can interact uh and ultimately get access to that machine. As we can see here. Um We are making an ssh key,
02:02
we are putting that into the remote hosts authorized keys
02:07
um file
02:10
and then um mounting uh mount nfs and then using ssh to get onto that machine.
02:17
So I'm going to show that to you in a demo. Now.
02:24
I did want to mention though, before the demo that simply mounting shares,
02:30
it's not enough, you know, SCP to consider getting a shell on a road system. You actually do have to get a shell. So just because you can see files on the road system doesn't mean you've owned that system.
02:47
All right. So here's the demo we're gonna do is we're going to look at our pc info attack P and our our host that we're looking at enumerating
03:00
and you can see here
03:01
we have that port mapper service I referenced in the other slide. We have TCP and UDP. We also have N. F s, both UDP and TCP on port 2049.
03:15
So now we're gonna use show amount to see what we have access to.
03:23
I'll clear this
03:25
well you show Mtac E and you can see have access to everything, which is great.
03:31
Everything meaning the whole directory structure of this remote host.
03:40
So what I'm gonna do now is make a directory in my
03:44
mount directory called NFS
03:47
or exists, I've already done it for you. You'll you'll make this directory, you can call it whatever you want. It doesn't have to be NFS.
03:57
Now we're gonna do is mount it
04:00
meaning mount that remote host into this mount Nfs directory.
04:05
So mount tack T Nfs, the remote host.
04:11
Mount NFS
04:14
like I was talking about if we go mount
04:16
and if s
04:19
yeah,
04:20
we can see here that we have access, like I said to this remote system.
04:26
And what we can do now is do something like
04:29
cat,
04:31
Mt,
04:33
nfs etc. Password.
04:36
As you can see here, I can now read this remote host etc. Password file.
04:43
So like I was talking about, you know, we want to get on this machine now and since this is a Lennox machine um and we know that as ssh from our previous enumeration, I know you didn't see that but
04:55
for for sake of argument here, let's say have already looked at this machine. I've already seen that. Ssh is open.
05:02
So I'm going to do is create an ssh key. So I'm gonna use Ssh key gen.
05:13
So here we're creating our public private key pair. I'm just gonna put it in this directory here.
05:19
I've already done this but I'm gonna do it again. I'm gonna overwrite my previous keys.
05:24
You can enter a pass phrase. I'm not just gonna hit, enter, enter again.
05:30
And we've generated those keys.
05:32
So now I'm gonna do is I'm going to take that key and I'm gonna put her in the authorized the public he I should say
05:41
so I'm casting that public key and I'm
05:46
putting this now into the authorized keys of of this remote host.
05:51
Yeah.
05:53
So if we wanted to see this
05:56
we could cat mount authorized keys
06:02
and you can see there's a few other
06:04
keys I have here, cyber ninja that I've done this before,
06:09
but we have our public he in here.
06:12
So what I can do now is I can ssh in as the root user
06:20
and now we are route on the municipal cable box
06:28
and that's how you can use nFS from enumeration to actually exploiting this service and getting on this machine.
06:40
So like I said, you're gonna have a chance to do this in the lab.
06:44
Um so hopefully now you understand what NFS is used for and you can demonstrate how to enumerate an NFS uh with that hands on demo, and like I said, you'll be doing that yourself um in the lab.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By