linux - nfspy

Today, we will learn a nfs client called “nfspy” or “nfspysh”

non root user

First, we can get rpcinfo about NFS share.

msf auxiliary(sunrpc_portmapper) > show optionsModule options (auxiliary/scanner/misc/sunrpc_portmapper):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   RHOSTS   192.168.1.103    yes       The target address range or CIDR identifier   RPORT    111              yes       The target port   THREADS  1                yes       The number of concurrent threadsmsf auxiliary(sunrpc_portmapper) > run[+] SunRPC Programs for 192.168.1.103================================= Name      Number  Version  Port   Protocol ----      ------  -------  ----   -------- mountd    100005  1        54766  udp mountd    100005  3        46695  tcp mountd    100005  3        53130  udp mountd    100005  2        60723  tcp mountd    100005  2        39607  udp mountd    100005  1        56754  tcp nfs       100003  2        2049   tcp nfs       100003  2        2049   udp nfs       100003  4        2049   udp nfs       100003  3        2049   udp nfs       100003  3        2049   tcp nfs       100003  4        2049   tcp nfs_acl   100227  2        2049   tcp nfs_acl   100227  3        2049   udp nfs_acl   100227  2        2049   udp nfs_acl   100227  3        2049   tcp nlockmgr  100021  3        50532  tcp nlockmgr  100021  4        39176  udp nlockmgr  100021  3        39176  udp nlockmgr  100021  1        39176  udp nlockmgr  100021  1        50532  tcp nlockmgr  100021  4        50532  tcp rpcbind   100000  4        111    tcp rpcbind   100000  3        111    tcp rpcbind   100000  2        111    tcp rpcbind   100000  4        111    udp rpcbind   100000  2        111    udp rpcbind   100000  3        111    udp rquotad   100011  1        875    udp rquotad   100011  2        875    udp rquotad   100011  1        875    tcp rquotad   100011  2        875    tcp[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

We can do it also like this,

$ rpcinfo -p 192.168.1.103   program vers proto   port    100000    4   tcp    111  portmapper    100000    3   tcp    111  portmapper    100000    2   tcp    111  portmapper    100000    4   udp    111  portmapper    100000    3   udp    111  portmapper    100000    2   udp    111  portmapper    100011    1   udp    875  rquotad    100011    2   udp    875  rquotad    100011    1   tcp    875  rquotad    100011    2   tcp    875  rquotad    100005    1   udp  54766  mountd    100005    1   tcp  56754  mountd    100005    2   udp  39607  mountd    100005    2   tcp  60723  mountd    100005    3   udp  53130  mountd    100005    3   tcp  46695  mountd    100003    2   tcp   2049  nfs    100003    3   tcp   2049  nfs    100003    4   tcp   2049  nfs    100227    2   tcp   2049    100227    3   tcp   2049    100003    2   udp   2049  nfs    100003    3   udp   2049  nfs    100003    4   udp   2049  nfs    100227    2   udp   2049    100227    3   udp   2049    100021    1   udp  39176  nlockmgr    100021    3   udp  39176  nlockmgr    100021    4   udp  39176  nlockmgr    100021    1   tcp  50532  nlockmgr    100021    3   tcp  50532  nlockmgr    100021    4   tcp  50532  nlockmgr$ nfspy -d -o server=192.168.1.103:/home,nfsport=2049/tcp,mountport=56754/tcp,rw /tmp/mntfuse: failed to open /dev/fuse: Permission deniedTraceback (most recent call last):  File "/usr/bin/nfspy", line 4, in <module>    main(NFSFuse)  File "/usr/lib/python2.7/dist-packages/nfspy/fusefs.py", line 63, in main    return server.main()  File "/usr/lib/python2.7/dist-packages/nfspy/fusefs.py", line 14, in main    return fuse.Fuse.main(self, *args, **kwargs)  File "/usr/lib/python2.7/dist-packages/fuse.py", line 757, in main    main(**d)fuse.FuseError: filesystem initialization failed

Question: What’s the reason for port 56754, and why not 2049 ?

---

root user

When NFS share is mountd, we can access /mnt directory.

root@kali:~# nfspy -d -o server=192.168.1.103:/home,nfsport=2049/tcp,mountport=56754/tcp,rw /mnt FUSE library version: 2.9.0nullpath_ok: 0nopath: 0utime_omit_ok: 0unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0INIT: 7.22flags=0x0000f7fbmax_readahead=0x00020000   INIT: 7.18   flags=0x00000011   max_readahead=0x00020000   max_write=0x00020000   max_background=0   congestion_threshold=0   unique: 1, success, outsize: 40unique: 2, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 3954getattr /   unique: 2, success, outsize: 120unique: 3, opcode: GETXATTR (22), nodeid: 1, insize: 65, pid: 3956   unique: 3, error: -38 (Function not implemented), outsize: 16unique: 4, opcode: OPENDIR (27), nodeid: 1, insize: 48, pid: 3956   unique: 4, success, outsize: 32unique: 5, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 3956readdir[0] from 0   unique: 5, success, outsize: 112unique: 6, opcode: LOOKUP (1), nodeid: 1, insize: 47, pid: 3956LOOKUP /centosgetattr /centos   NODEID: 2   unique: 6, success, outsize: 144unique: 7, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 3956   unique: 7, success, outsize: 16unique: 8, opcode: RELEASEDIR (29), nodeid: 1, insize: 64, pid: 0   unique: 8, success, outsize: 16^C^C^C^Cunique: 9, opcode: FORGET (2), nodeid: 2, insize: 48, pid: 0FORGET 2/1DELETE: 2unique: 10, opcode: FORGET (2), nodeid: 1, insize: 48, pid: 0FORGET 1/1Exception KeyboardInterrupt in <module 'threading' from '/usr/lib/python2.7/threading.pyc'> ignored

References

1. https://github.com/bonsaiviking/NfSpy
2. http://www.room362.com/blog/2013/03/04/mounting-nfs-shares-through-meterpreter-with-nfspy/
3. https://www.howtoforge.com/install_nfs_server_and_client_on_debian_wheezy
4. http://www.cyberciti.biz/faq/centos-fedora-rhel-nfs-v4-configuration/