linux - nfspy
来源:互联网 发布:otg功能软件下载 编辑:程序博客网 时间:2024/05/16 09:38
Today, we will learn a nfs client called “nfspy” or “nfspysh”
non root user
First, we can get rpcinfo about NFS share.
msf auxiliary(sunrpc_portmapper) > show optionsModule options (auxiliary/scanner/misc/sunrpc_portmapper): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.103 yes The target address range or CIDR identifier RPORT 111 yes The target port THREADS 1 yes The number of concurrent threadsmsf auxiliary(sunrpc_portmapper) > run[+] SunRPC Programs for 192.168.1.103================================= Name Number Version Port Protocol ---- ------ ------- ---- -------- mountd 100005 1 54766 udp mountd 100005 3 46695 tcp mountd 100005 3 53130 udp mountd 100005 2 60723 tcp mountd 100005 2 39607 udp mountd 100005 1 56754 tcp nfs 100003 2 2049 tcp nfs 100003 2 2049 udp nfs 100003 4 2049 udp nfs 100003 3 2049 udp nfs 100003 3 2049 tcp nfs 100003 4 2049 tcp nfs_acl 100227 2 2049 tcp nfs_acl 100227 3 2049 udp nfs_acl 100227 2 2049 udp nfs_acl 100227 3 2049 tcp nlockmgr 100021 3 50532 tcp nlockmgr 100021 4 39176 udp nlockmgr 100021 3 39176 udp nlockmgr 100021 1 39176 udp nlockmgr 100021 1 50532 tcp nlockmgr 100021 4 50532 tcp rpcbind 100000 4 111 tcp rpcbind 100000 3 111 tcp rpcbind 100000 2 111 tcp rpcbind 100000 4 111 udp rpcbind 100000 2 111 udp rpcbind 100000 3 111 udp rquotad 100011 1 875 udp rquotad 100011 2 875 udp rquotad 100011 1 875 tcp rquotad 100011 2 875 tcp[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
We can do it also like this,
$ rpcinfo -p 192.168.1.103 program vers proto port 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 875 rquotad 100011 2 udp 875 rquotad 100011 1 tcp 875 rquotad 100011 2 tcp 875 rquotad 100005 1 udp 54766 mountd 100005 1 tcp 56754 mountd 100005 2 udp 39607 mountd 100005 2 tcp 60723 mountd 100005 3 udp 53130 mountd 100005 3 tcp 46695 mountd 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 2 tcp 2049 100227 3 tcp 2049 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100227 2 udp 2049 100227 3 udp 2049 100021 1 udp 39176 nlockmgr 100021 3 udp 39176 nlockmgr 100021 4 udp 39176 nlockmgr 100021 1 tcp 50532 nlockmgr 100021 3 tcp 50532 nlockmgr 100021 4 tcp 50532 nlockmgr$ nfspy -d -o server=192.168.1.103:/home,nfsport=2049/tcp,mountport=56754/tcp,rw /tmp/mntfuse: failed to open /dev/fuse: Permission deniedTraceback (most recent call last): File "/usr/bin/nfspy", line 4, in <module> main(NFSFuse) File "/usr/lib/python2.7/dist-packages/nfspy/fusefs.py", line 63, in main return server.main() File "/usr/lib/python2.7/dist-packages/nfspy/fusefs.py", line 14, in main return fuse.Fuse.main(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/fuse.py", line 757, in main main(**d)fuse.FuseError: filesystem initialization failed
Question: What’s the reason for port 56754, and why not 2049 ?
root user
When NFS share is mountd, we can access /mnt directory.
root@kali:~# nfspy -d -o server=192.168.1.103:/home,nfsport=2049/tcp,mountport=56754/tcp,rw /mnt FUSE library version: 2.9.0nullpath_ok: 0nopath: 0utime_omit_ok: 0unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0INIT: 7.22flags=0x0000f7fbmax_readahead=0x00020000 INIT: 7.18 flags=0x00000011 max_readahead=0x00020000 max_write=0x00020000 max_background=0 congestion_threshold=0 unique: 1, success, outsize: 40unique: 2, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 3954getattr / unique: 2, success, outsize: 120unique: 3, opcode: GETXATTR (22), nodeid: 1, insize: 65, pid: 3956 unique: 3, error: -38 (Function not implemented), outsize: 16unique: 4, opcode: OPENDIR (27), nodeid: 1, insize: 48, pid: 3956 unique: 4, success, outsize: 32unique: 5, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 3956readdir[0] from 0 unique: 5, success, outsize: 112unique: 6, opcode: LOOKUP (1), nodeid: 1, insize: 47, pid: 3956LOOKUP /centosgetattr /centos NODEID: 2 unique: 6, success, outsize: 144unique: 7, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 3956 unique: 7, success, outsize: 16unique: 8, opcode: RELEASEDIR (29), nodeid: 1, insize: 64, pid: 0 unique: 8, success, outsize: 16^C^C^C^Cunique: 9, opcode: FORGET (2), nodeid: 2, insize: 48, pid: 0FORGET 2/1DELETE: 2unique: 10, opcode: FORGET (2), nodeid: 1, insize: 48, pid: 0FORGET 1/1Exception KeyboardInterrupt in <module 'threading' from '/usr/lib/python2.7/threading.pyc'> ignored
References
- https://github.com/bonsaiviking/NfSpy
- http://www.room362.com/blog/2013/03/04/mounting-nfs-shares-through-meterpreter-with-nfspy/
- https://www.howtoforge.com/install_nfs_server_and_client_on_debian_wheezy
- http://www.cyberciti.biz/faq/centos-fedora-rhel-nfs-v4-configuration/
0 0
- linux - nfspy
- NfSpy – ID-spoofing NFS Client Tool – Mount NFS Shares Without Account
- linux
- linux
- Linux
- Linux
- LINUX!
- Linux
- linux
- linux
- linux
- Linux
- linux
- linux
- linux
- linux
- Linux
- linux
- 4.22~
- 网络策划
- 进程间的通信方式
- ssm实现数据查询和添加
- 【iOS开发-quartz2d】制作图片水印
- linux - nfspy
- LeetCode-Longest Palindromic Substring
- 使用Django来处理对于静态文件的请求
- Super 关键字在子类构造方法和普通方法中的应用
- JS数据类型判断和数组类型判断
- 深入学习android之AlarmManager
- POJ 2367 Genealogical tree(拓扑排序)
- Android串口开发
- Struts2 总结