(111,2049 for NFSv4.1)NFS

Network File System, same purpose as SMB and USED ONLY BETWEEN UNIX-LIKE OS.

About

• Its purpose is to access file systems over a network as if they were local. Kind of forking a copy on your device without actually saving

• It's really like SMB but a whole other protocol so there's no direct communication between NFS clients and SMB servers.

• Newer NFS versions work only on TCP/UDP port 2049 which simplifies the use of the protocol across firewalls.

From NFSv3, the protocol integrated client authentication. And from NFSv4, it included Kerberos, works with firewalls..etc and now the NFSv4.1 aims to support and facilitate the cluster server deployment and only on port TCP/UDP 2049.

Also, NFS is based on ONC-RPC/SUN-RPC protocol which uses TCP/UDP port 111: This is the port for the RPC portmapper (also known as rpcbind), which maps RPC program numbers to network port numbers. NFS uses RPC, so the portmapper is essential for the initial communication.

NFS also uses dynamic ports assigned by the portmapper for various RPC services such as:

• mountd: The mount daemon, which assists with mounting NFS file systems.

• nlockmgr: The network lock manager, which manages file locking.

• statd: The status monitor daemon, which handles crash recovery.

• rquotad: The remote quota server daemon, which provides disk quota management.

That's why the nmap output when probing an NFS server lists a long list of RPC services.

Config

The authentication that NFS uses comes from the available file system information: It translates the client's user infos into the NFS format and then converts them into the file system format to the required Unix syntax.

So it uses the UID/GID and group memberships which creates a problem when the client and server don't have the same UID/GID mapping and the server doesn't need to check anything further.

So, this makes NFS used only on trusted networks.

Enumeration

Nmap

We can see how NFS is entangled to RPC through a simple nmap scan:

$ sudo nmap <target-ip> -p111,2049 -sV -sC

PORT    STATE SERVICE VERSION

111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      41982/udp6  mountd
|   100005  1,2,3      45837/tcp   mountd
|   100005  1,2,3      47217/tcp6  mountd
|   100005  1,2,3      58830/udp   mountd
|   100021  1,3,4      39542/udp   nlockmgr
|   100021  1,3,4      44629/tcp   nlockmgr
|   100021  1,3,4      45273/tcp6  nlockmgr
|   100021  1,3,4      47524/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl

2049/tcp open  nfs_acl 3 (RPC #100227)

Mounting/Unmounting and interacting with NFS

$ mkdir target-NFS
$ sudo mount -t nfs <taget-ip>:/ ./target-NFS/ -o nolock
$ cd target-NFS
$ tree .

.
└── mnt
    └── nfs
        ├── id_rsa
        ├── id_rsa.pub
        └── nfs.share

2 directories, 3 files
$ cd ..
$ sudo umount ./target-NFS

The nolock option in NFS mount commands is used to disable file locking. This option is particularly useful in scenarios where the NFS server does not support the Network Lock Manager (NLM) protocol or when interfacing with older versions of operating systems like Red Hat Enterprise Linux, Red Hat Linux, or Solaris, as these systems may not be compatible with the most recent ACL technology.

When using the nolock option, applications can still lock files, but such locks only provide exclusion against other applications running on the same client. Remote applications are not affected by these locks. This can be a workaround for issues where the NFS server does not have rpc.statd running, which is required for remote locking.