linux - nfspy

Today, we will learn a nfs client called “nfspy” or “nfspysh”

non root user

First, we can get rpcinfo about NFS share.

msf auxiliary(sunrpc_portmapper) > show options

Module options (auxiliary/scanner/misc/sunrpc_portmapper):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.1.103    yes       The target address range or CIDR identifier
   RPORT    111              yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(sunrpc_portmapper) > run

[+] SunRPC Programs for 192.168.1.103
=================================

 Name      Number  Version  Port   Protocol
 ----      ------  -------  ----   --------
 mountd    100005  1        54766  udp
 mountd    100005  3        46695  tcp
 mountd    100005  3        53130  udp
 mountd    100005  2        60723  tcp
 mountd    100005  2        39607  udp
 mountd    100005  1        56754  tcp
 nfs       100003  2        2049   tcp
 nfs       100003  2        2049   udp
 nfs       100003  4        2049   udp
 nfs       100003  3        2049   udp
 nfs       100003  3        2049   tcp
 nfs       100003  4        2049   tcp
 nfs_acl   100227  2        2049   tcp
 nfs_acl   100227  3        2049   udp
 nfs_acl   100227  2        2049   udp
 nfs_acl   100227  3        2049   tcp
 nlockmgr  100021  3        50532  tcp
 nlockmgr  100021  4        39176  udp
 nlockmgr  100021  3        39176  udp
 nlockmgr  100021  1        39176  udp
 nlockmgr  100021  1        50532  tcp
 nlockmgr  100021  4        50532  tcp
 rpcbind   100000  4        111    tcp
 rpcbind   100000  3        111    tcp
 rpcbind   100000  2        111    tcp
 rpcbind   100000  4        111    udp
 rpcbind   100000  2        111    udp
 rpcbind   100000  3        111    udp
 rquotad   100011  1        875    udp
 rquotad   100011  2        875    udp
 rquotad   100011  1        875    tcp
 rquotad   100011  2        875    tcp

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We can do it also like this,

$ rpcinfo -p 192.168.1.103
   program vers proto   port
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100005    1   udp  54766  mountd
    100005    1   tcp  56754  mountd
    100005    2   udp  39607  mountd
    100005    2   tcp  60723  mountd
    100005    3   udp  53130  mountd
    100005    3   tcp  46695  mountd
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  39176  nlockmgr
    100021    3   udp  39176  nlockmgr
    100021    4   udp  39176  nlockmgr
    100021    1   tcp  50532  nlockmgr
    100021    3   tcp  50532  nlockmgr
    100021    4   tcp  50532  nlockmgr
$ nfspy -d -o server=192.168.1.103:/home,nfsport=2049/tcp,mountport=56754/tcp,rw /tmp/mnt
fuse: failed to open /dev/fuse: Permission denied
Traceback (most recent call last):
  File "/usr/bin/nfspy", line 4, in <module>
    main(NFSFuse)
  File "/usr/lib/python2.7/dist-packages/nfspy/fusefs.py", line 63, in main
    return server.main()
  File "/usr/lib/python2.7/dist-packages/nfspy/fusefs.py", line 14, in main
    return fuse.Fuse.main(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/fuse.py", line 757, in main
    main(**d)
fuse.FuseError: filesystem initialization failed

Question: What’s the reason for port 56754, and why not 2049 ?

---

root user

When NFS share is mountd, we can access /mnt directory.

root@kali:~# nfspy -d -o server=192.168.1.103:/home,nfsport=2049/tcp,mountport=56754/tcp,rw /mnt 
FUSE library version: 2.9.0
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.22
flags=0x0000f7fb
max_readahead=0x00020000
   INIT: 7.18
   flags=0x00000011
   max_readahead=0x00020000
   max_write=0x00020000
   max_background=0
   congestion_threshold=0
   unique: 1, success, outsize: 40
unique: 2, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 3954
getattr /
   unique: 2, success, outsize: 120
unique: 3, opcode: GETXATTR (22), nodeid: 1, insize: 65, pid: 3956
   unique: 3, error: -38 (Function not implemented), outsize: 16
unique: 4, opcode: OPENDIR (27), nodeid: 1, insize: 48, pid: 3956
   unique: 4, success, outsize: 32
unique: 5, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 3956
readdir[0] from 0
   unique: 5, success, outsize: 112
unique: 6, opcode: LOOKUP (1), nodeid: 1, insize: 47, pid: 3956
LOOKUP /centos
getattr /centos
   NODEID: 2
   unique: 6, success, outsize: 144
unique: 7, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 3956
   unique: 7, success, outsize: 16
unique: 8, opcode: RELEASEDIR (29), nodeid: 1, insize: 64, pid: 0
   unique: 8, success, outsize: 16
^C^C^C^Cunique: 9, opcode: FORGET (2), nodeid: 2, insize: 48, pid: 0
FORGET 2/1
DELETE: 2
unique: 10, opcode: FORGET (2), nodeid: 1, insize: 48, pid: 0
FORGET 1/1
Exception KeyboardInterrupt in <module 'threading' from '/usr/lib/python2.7/threading.pyc'> ignored

References

1. https://github.com/bonsaiviking/NfSpy
2. http://www.room362.com/blog/2013/03/04/mounting-nfs-shares-through-meterpreter-with-nfspy/
3. https://www.howtoforge.com/install_nfs_server_and_client_on_debian_wheezy
4. http://www.cyberciti.biz/faq/centos-fedora-rhel-nfs-v4-configuration/