NFS

Network File System

About

Sun Microsystems: Same purpose as SMB

• Access file systems over a network as if they were local

• Uses entirely different protocol. NFS is used between Linux and Unix systems.

  • NFS clients can't communicate directly with SMB servers

  • Internet standard: Governs procedures in a distributed file system

  • NSFv3: Protocol version 3.0 has been in use for many years: Authenticates client pc

  • NFSv4: As with Win SMB, the user must authenticate

NFSv2-4

NFSv2 Older but supported by many systems: UDP

NFSv3 Variable file size/better error reporting: Not fully compatible with v2

NFDv4 Includes Kerberos, works through firewalls, supports ACLs

• No portmappers, state-based operations, stateful

• Performance improvements, Security improvements

NFSv4.1

NFSv4.1 Protocol support to leverage cluster server deployments

• pNFS: Parallel access to files distributed across multiple servers

• Multipathing: Session trunking mechanism

Advantages:

• Only 1 UDP/TCP p 2049 used to run the service

• Simplifies use across firewalls ONE-RPC/SUN-RPC:

  • Open Network Computing/RPC protocol on TCP/UDP p 111

  • XDR: External Data Representation: for system-independent exchange of data

  • Auth shifted to RPC protocol's options derived from avail FS info

    • Server is responsible for translating client's info into FS format

    • Converting corresponding auth into UNIX syntax

    • UID/GID/group memberships

Problems: Client/server don't need to have same mappings of UID/GID to users/groups

• Server doesn't need to do anything and no checks made

• /etc/exports Contains table of physical FS on NFS server accessible by clients

Exports File

cat /etc/exports # ACL for FS may be exported to clients
# Example for NFSv2/NFSv3
/srv/homes 
hostname1(rw,sync,no_subtree_check) 
hostname2(ro,sync,no_subtree_check)
# Example for NFSv4:
/srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)

# Default exports file contains examples 
rw # read/write perms
ro # read only perms
sync # sync data xfer (slower)
async # async data xfer (faster)
secure # ports 1024+ not used
insecure # ports 1024+ used
no_subtree_check # disables checking subdir trees
root_squash # assigns all perms of root uid/gid 0 to uid/guid of anon 

# Entry test ExportFS
echo '/mnt/nfs  10.10.10.10/24(sync,no_subtree_check)' >> /etc/exports
systemctl restart nfs-kernel-server 
exportfs
/mnt/nfs      	10.10.10.10/24

Footprinting

• Ports 111, 2049; Can get info via RPC

sudo nmap 10.10.10.10 -p111,2049 -sV -sC --script nfs* # nse script 

PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100003  3,4         2049/tcp   nfs
|   100005  1,2,3      47217/tcp6  mountd
|   100021  1,3,4      39542/udp   nlockmgr
|   100227  3           2049/tcp6  nfs_acl
2049/tcp open  nfs_acl 3 (RPC #100227)

Once discovered, we can mount to our local machine

• Create an empty folder the NFS share will be mounted

• We can navigate it and view the contents just like our local system

• root_squash is set? Can't edit backup.sh file even as root

showmount -e 10.10.10.10 # show available NFS shares
mkdir moo-share # create folder to download to
sudo mount -t nfs 10.10.10.10:/ ./moo-share/ -o nolock # mount nfs share 

tree . # list folder structure 
ls -l mnt/nfs/ # list contents with user/group names 
ls -n mnt/nfs/ # list contents with uid/guids 

sudo unmount ./moo-share # unmount share