Source CTF and HTB Academy

  • TCP and UDP ports 2049 or 111

Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local. However, it uses an entirely different protocol.

Default configuration

  • cat /etc/exports



Read and write permissions.


Read only permissions.


Synchronous data transfer. (A bit slower)


Asynchronous data transfer. (A bit faster)


Ports above 1024 will not be used.


Ports above 1024 will be used.


This option disables the checking of subdirectory trees.


Assigns all permissions to files of root UID/GID 0 to the UID/GID of anonymous, which prevents root from accessing files on an NFS mount.

Dangerous settings

rwRead and write permissions.


Ports above 1024 will be used.


If another file system was mounted below an exported directory, this directory is exported by its own exports entry.


All files created by root are kept with the UID/GID 0.



  • sudo nmap -p111,2049 -sV -sC

  • sudo nmap --script nfs* -sV -p111,2049

Mount an NFS service

  • sudo apt install nfs-common install showmount

  • showmount -e show availables NFS shares

  • mkdir target-NFS create a directory to mount our target

  • Mount

    • sudo mount -t nfs ./target-NFS/ -o nolock mount our target in our newly created dir

    • cd target-NFS

    • tree .

    • ls -l mnt/nfs/ List Contents with Usernames & Group Names

    • ls -n mnt/nfs/ List Contents with UIDs & GUIDs

  • Unmount

    • cd ..

    • sudo umount ./target-NFS

We can also use NFS for further escalation. For example, if we have access to the system via SSH and want to read files from another folder that a specific user can read, we would need to upload a shell to the NFS share that has the SUID of that user and then run the shell via the SSH user.

Last updated