NFS Enumeration

00:00

NFS enumeration

00:03

are learning objectives are to understand what NFS is used for and demonstrate how to enumerate nFS.

00:09

So NFS stands for network file system was developed back in 1984 by Sun Microsystems is kind of like SMB in that it allows you to interact remotely with directories and files on a remote host.

00:26

Um You can also mount it to your file system, which I'll demonstrate later.

00:31

Uh so it's an open standard. Um anyone can use it and we have a bunch of different tools we can use to enumerate the service as you can see here. We're using Rpc info and we're looking at the different ports, so, you know, we can use End Map as well. But here rpc info is telling us some ports that

00:51

are in use by NFS

00:54

and you'll see both TCP and udp.

00:58

Mhm.

01:00

All right. Like I said, um you know, we use SMB client for SMB here, we're actually mounting the shares directly onto our machine are Cali machine

01:12

and you can see here we're using show mount tak E to see which which directories that we have access to. In this case we have access to all of them. And I'll say please pay attention because you're actually gonna be using this in the lab.

01:26

So once you show mountain, you can see which directories you can mount. Then what you're going to do is you're going to make a directory in your mount directory. Um actually mount that share um onto your machine and then you actually have access to that remote system.

01:49

So then what you can do is once you have access to that remote system you can interact uh and ultimately get access to that machine. As we can see here. Um We are making an ssh key,

02:02

we are putting that into the remote hosts authorized keys

02:07

um file

02:10

and then um mounting uh mount nfs and then using ssh to get onto that machine.

02:17

So I'm going to show that to you in a demo. Now.

02:24

I did want to mention though, before the demo that simply mounting shares,

02:30

it's not enough, you know, SCP to consider getting a shell on a road system. You actually do have to get a shell. So just because you can see files on the road system doesn't mean you've owned that system.

02:47

All right. So here's the demo we're gonna do is we're going to look at our pc info attack P and our our host that we're looking at enumerating

03:00

and you can see here

03:01

we have that port mapper service I referenced in the other slide. We have TCP and UDP. We also have N. F s, both UDP and TCP on port 2049.

03:15

So now we're gonna use show amount to see what we have access to.

03:23

I'll clear this

03:25

well you show Mtac E and you can see have access to everything, which is great.

03:31

Everything meaning the whole directory structure of this remote host.

03:40

So what I'm gonna do now is make a directory in my

03:44

mount directory called NFS

03:47

or exists, I've already done it for you. You'll you'll make this directory, you can call it whatever you want. It doesn't have to be NFS.

03:57

Now we're gonna do is mount it

04:00

meaning mount that remote host into this mount Nfs directory.

04:05

So mount tack T Nfs, the remote host.

04:11

Mount NFS

04:14

like I was talking about if we go mount

04:16

and if s

04:19

yeah,

04:20

we can see here that we have access, like I said to this remote system.

04:26

And what we can do now is do something like

04:29

cat,

04:31

Mt,

04:33

nfs etc. Password.

04:36

As you can see here, I can now read this remote host etc. Password file.

04:43

So like I was talking about, you know, we want to get on this machine now and since this is a Lennox machine um and we know that as ssh from our previous enumeration, I know you didn't see that but

04:55

for for sake of argument here, let's say have already looked at this machine. I've already seen that. Ssh is open.

05:02

So I'm going to do is create an ssh key. So I'm gonna use Ssh key gen.

05:13

So here we're creating our public private key pair. I'm just gonna put it in this directory here.

05:19

I've already done this but I'm gonna do it again. I'm gonna overwrite my previous keys.

05:24

You can enter a pass phrase. I'm not just gonna hit, enter, enter again.

05:30

And we've generated those keys.

05:32

So now I'm gonna do is I'm going to take that key and I'm gonna put her in the authorized the public he I should say

05:41

so I'm casting that public key and I'm

05:46

putting this now into the authorized keys of of this remote host.

05:51

Yeah.

05:53

So if we wanted to see this

05:56

we could cat mount authorized keys

06:02

and you can see there's a few other

06:04

keys I have here, cyber ninja that I've done this before,

06:09

but we have our public he in here.

06:12

So what I can do now is I can ssh in as the root user

06:20

and now we are route on the municipal cable box

06:28

and that's how you can use nFS from enumeration to actually exploiting this service and getting on this machine.

06:40

So like I said, you're gonna have a chance to do this in the lab.