(111,2049 for NFSv4.1)NFS
Network File System, same purpose as SMB and USED ONLY BETWEEN UNIX-LIKE OS.
About
Its purpose is to access file systems over a network as if they were local. Kind of forking a copy on your device without actually saving
It's really like SMB but a whole other protocol so there's no direct communication between NFS clients and SMB servers.
Newer NFS versions work only on TCP/UDP port 2049 which simplifies the use of the protocol across firewalls.
From NFSv3, the protocol integrated client authentication. And from NFSv4, it included Kerberos, works with firewalls..etc and now the NFSv4.1 aims to support and facilitate the cluster server deployment and only on port TCP/UDP 2049.
Also, NFS is based on ONC-RPC/SUN-RPC protocol which uses TCP/UDP port 111: This is the port for the RPC portmapper (also known as rpcbind), which maps RPC program numbers to network port numbers. NFS uses RPC, so the portmapper is essential for the initial communication.
NFS also uses dynamic ports assigned by the portmapper for various RPC services such as:
mountd: The mount daemon, which assists with mounting NFS file systems.
nlockmgr: The network lock manager, which manages file locking.
statd: The status monitor daemon, which handles crash recovery.
rquotad: The remote quota server daemon, which provides disk quota management.
That's why the nmap output when probing an NFS server lists a long list of RPC services.
Config
The authentication that NFS uses comes from the available file system information: It translates the client's user infos into the NFS format and then converts them into the file system format to the required Unix syntax.
So it uses the UID/GID and group memberships which creates a problem when the client and server don't have the same UID/GID mapping and the server doesn't need to check anything further.
So, this makes NFS used only on trusted networks.
Enumeration
Nmap
We can see how NFS is entangled to RPC through a simple nmap scan:
$ sudo nmap <target-ip> -p111,2049 -sV -sC
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 41982/udp6 mountd
| 100005 1,2,3 45837/tcp mountd
| 100005 1,2,3 47217/tcp6 mountd
| 100005 1,2,3 58830/udp mountd
| 100021 1,3,4 39542/udp nlockmgr
| 100021 1,3,4 44629/tcp nlockmgr
| 100021 1,3,4 45273/tcp6 nlockmgr
| 100021 1,3,4 47524/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)Mounting/Unmounting and interacting with NFS
$ mkdir target-NFS
$ sudo mount -t nfs <taget-ip>:/ ./target-NFS/ -o nolock
$ cd target-NFS
$ tree .
.
└── mnt
└── nfs
├── id_rsa
├── id_rsa.pub
└── nfs.share
2 directories, 3 files
$ cd ..
$ sudo umount ./target-NFSThe
nolockoption in NFS mount commands is used to disable file locking. This option is particularly useful in scenarios where the NFS server does not support the Network Lock Manager (NLM) protocol or when interfacing with older versions of operating systems like Red Hat Enterprise Linux, Red Hat Linux, or Solaris, as these systems may not be compatible with the most recent ACL technology.When using the
nolockoption, applications can still lock files, but such locks only provide exclusion against other applications running on the same client. Remote applications are not affected by these locks. This can be a workaround for issues where the NFS server does not haverpc.statdrunning, which is required for remote locking.
Last updated