Lab: Perform NFS Enumeration Using Kali Tools – Full Notes

1. Introduction

NFS Enumeration is the process of discovering shared directories and services on systems using the Network File System (NFS). NFS allows Linux/UNIX systems to share files across the network. Misconfigured NFS servers can expose sensitive data, making enumeration a crucial step in penetration testing.

Scenario Context:

• Organization: CodeStream Innovations
• Security Firm: SecureProbe Analysts
• Concern: Misconfigured NFS servers exposing proprietary source code, documents, and team resources

2. What is NFS?

NFS (Network File System) is a distributed file system protocol that allows users to access files over a network as if they were local. It is widely used for shared storage in development environments and central servers.

Important Ports:

• TCP/UDP 2049 – NFS service
• TCP/UDP 111 – RPCBind / Portmapper

3. Objectives of NFS Enumeration

• Identify NFS-enabled systems
• Discover shared directories (exports)
• Check access permissions (read/write)
• Identify insecure configurations
• Assess risk of data exposure

4. Tools and Commands for All OS

4.1 RPC Services Discovery

Tool: rpcinfo (Linux/macOS)

rpcinfo -p <target-ip>
rpcinfo -p 192.168.1.100

What it does:

• Shows RPC services running on the target
• Identifies ports for NFS and mountd services

4.2 Enumerate NFS Shares

Tool: showmount (Linux/macOS)

showmount -e <target-ip>
showmount -e 192.168.1.100

Output explanation:

• Lists exported directories
• Shows allowed clients or subnets

4.3 Create Mount Directory

Before mounting NFS shares, create a local directory:

mkdir -p /mnt/nfs

4.4 Mount NFS Share

mount -t nfs <target-ip>:/shared /mnt/nfs
mount -t nfs 192.168.1.100:/shared /mnt/nfs

Check contents:

ls -la /mnt/nfs

4.5 Unmount NFS Share (Best Practice)

umount /mnt/nfs

4.6 Advanced Enumeration (Optional)

Use nmap for automated enumeration:

nmap -p 111,2049 --script nfs* 192.168.1.100

This discovers:

• NFS version
• Exported directories
• Access permissions

4.7 Windows Clients

On Windows, NFS client support is optional. Enable "Services for NFS" and then use:

mount \\<server-ip>\<share-name> Z:

5. Risks and Importance

• Exposed intellectual property (source code, documents)
• Unauthorized access to sensitive files
• Privilege escalation via UID/GID misalignment
• Internal data leak prevention

6. Best Practices for Securing NFS

• Restrict access to specific IP addresses
• Use read-only where possible
• Disable root access (no_root_squash)
• Segment NFS servers from public networks
• Monitor NFS logs and access attempts

7. Real-Life Analogy

NFS is like a company storage room: RPC is the receptionist telling clients where the rooms are. Misconfigured permissions are like leaving the door open to the public — anyone can access confidential files.

8. Complete Enumeration Workflow – All OS

# Step 1: Check RPC Services
rpcinfo -p 192.168.1.100

# Step 2: Enumerate NFS Shares
showmount -e 192.168.1.100

# Step 3: Create Mount Directory
mkdir -p /mnt/nfs

# Step 4: Mount Share
mount -t nfs 192.168.1.100:/shared /mnt/nfs

# Step 5: View Contents
ls -la /mnt/nfs

# Step 6: Unmount After Testing
umount /mnt/nfs

# Optional: Use Nmap for Automated Enumeration
nmap -p 111,2049 --script nfs* 192.168.1.100

9. Conclusion

NFS Enumeration is essential to identify misconfigured file shares and prevent sensitive data exposure. Using tools like rpcinfo, showmount, and mount, students and security professionals can safely enumerate, analyze, and secure NFS shares across Linux, UNIX, and Windows systems.