NFS shares are not only common to come across during the OSCP and in capture the flag events like Hack The Box, but they’re also common to see during internal pentest engagements. This post intends to serve as a guide for enumerating a NFS share and different opportunities for abusing their functionality.

Note: In Linux environments, NFS is sometimes used as a home directory server.

---

Using ShowMount

To list the available NFS shares, you can use the following:
showmount -e <ipAddr>

To list the connected clients, you can use the following:
showmount -a <ipAddr>

---

Mounting NFS Shares

First, we’ll need to create a mount point in Kali.
sudo mkdir /mnt/nfs-share

Then we can mount the open share to it.
sudo mount -t nfs <ipAddr>:/<shareName> /mnt/nfs-share

Then you can change into the mounted share.
cd /mnt/nfs-share

---

Enumerating Mounted NFS Shares

Once you’ve mounted a share (using the above steps), we’ll want to enumerate them to see what they have and what permission you have to interact with it.

Obviously you can then read/copy files, but testing to see if you can write/delete is an important step.
touch test
rm test

Can you overwrite existing files? For example, say that Web.config was present in the share. Try the following:
touch /tmp/Web.config
mv /tmp/Web.config /mnt/nfs-share/Web.config

Sometimes interacting with the share directly can be slow, so it may be helpful to run the following command. This will get a list of all the files in the share along with their associated permissions, and write that into a text document locally on your machine. This will let you search through this local file to hunt for handy files rather than querying the remote system each time.
find . -ls > /tmp/nfs-share.dir