Open NFS mounts/shares are awesome. talk about sometimes finding "The Goods". More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions. so checking to see whats shared and what you can access is important.
Low? currently an "info" with Nessus 5
Anyway, you probably want to know about finding it. You have a few options.
standard portscanning (of course)
1. scan for port 111/2049
2. do showmount -e / showmount -a
3. metasploit module
example:
root@attacker]# showmount -e 192.168.0.1
Export list for 192.168.0.1:
/export/home/ (everyone)
/export/mnt/ (everyone)
/export/share/ (everyone)
3. look to see what's exported and who is mounting ("everyone" FTW)
To mount an NFS share use the following after first creating a directory on your local machine:
[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badperms
change directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1
to abuse NFS you can check out the rest from http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users. I'm going to put it here in case it goes missing later:
"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.
If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read. The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.
-rwxr----- 517 wheel 898 daves_secret_doc
The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.
Move away from the mount point and unmount the share
umount /local_dir
create a user called dave
useradd dave
passwd dave
Edit /etc/passwd and change the UID to 517
Remount the share as local root
Go into daves directory
cd dave
issue the command
su dave
As you are local root you can do this and as you have an account called dave you will not need a password
Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."
nmap scripts to do additional info gathering
nfs-ls
nfs-showmount
nfs-statfs
Valsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the slides) video white paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)
Fun Reading:
Swiss Cyber Storm II Case: NFS Hacking: http://www.csnc.ch/misc/files/publications/2009_scsII_axel_neumann_NFS.pdf
1 comment:
try http://nfs.proisk.com/
Post a Comment