NFS (Network File system): One of the file systems supported by FreeBSD that allows computers in the network to share resources across TCP/IP networks;
NFS Configuration: (Declaration: The following NFS experiments are done on REDHAT7)
Install NFS First (my machine is a minimized system and I need to install it myself):
Yum Install Nfs-utils.x86_64-y
Start the service:
Systemctl Start Rpcbind (if this service does not Start, NFS service will fail to start)
Systemctl Start Nfs-server
Systemctl Enable rpcbind;systemctl enable Nfs-server boot
Firewall-cmd--permanent--add-service=nfs Let Firewall through NFS service
Firewall-cmd--permanent--add-service=rpc-bind through the RPC service (Rpcinfo cannot scan if not turned on)
Firewall-cmd--permanent--add-service=mountd via MOUNTD service (cannot be remotely showmount if not turned on)
Firewall-cmd--reload
Configuration:
Mkdir/pentest (Create a shared directory)
Vi/etc/exports
Cat/etc/exports
/* (Rw,sync,no_root_squash) (Note: The problem is in this place, the principle is explained after the text)
Exportfs-r (start sharing)
SHOWMOUNT-E (View share)
Client Mount:
MOUNT-T NFS NFS Server ip://tmp/test (mounted to local/tmp/test)
Intrusion:
Scan for machines with NFS configuration errors: Rpcinfo-p 192.168.119.131
View NFS Mount NEW: Showmount-e 192.168.119.131
With this information, we can mount NFS and transfer SSH permanent connection files
Summary: In fact, the principle of the formation of loopholes is the right,/etc/exports the permissions set in this file, we use the root authority above, so that the server was compromised;
/etc/exports file format
< output directory > [Client 1 options (access rights, user mappings, others)] [Client 2 options (access rights, user mappings, others)]
A. Output directory: The output directory refers to the NFS system needs to be shared to the client to use the directory;
B. Client: Client refers to a computer in the network that can access this NFS output directory
Specify the IP address of the host: 192.168.0.200
Specify all hosts in the subnet: 192.168.0.0/24 192.168.0.0/255.255.255.0
Host of the specified domain name: david.bsmart.cn
Specify all hosts in the domain: *.bsmart.cn
All hosts: *
C. Options: Options to set the output Directory access rights, user mappings, and so on.
Set output Directory read-only: RO
Set output directory Read/write: RW
d. User mapping options
All_squash: Maps all normal users and groups that are accessed remotely to anonymous users or user groups (Nfsnobody);
No_all_squash: Reverse with All_squash (default setting);
Root_squash: The root user and the owning group are mapped to anonymous users or groups of users (default setting);
No_root_squash: Reverse with Rootsquash;
ANONUID=XXX: Maps All remote access users to anonymous users and specifies that the user is a local user (uid=xxx);
ANONGID=XXX: Maps All remote Access user groups to anonymous user group accounts and specifies that the anonymous user group account is a local user group account (GID=XXX);
E. Other options
Secure: Restrict clients from connecting to Server for NFS (default setting) only from TCP/IP ports less than 1024;
Insecure: Allow clients to connect to the server from TCP/IP ports greater than 1024;
Sync: It is inefficient to write data synchronously to memory buffer and disk, but it can guarantee the consistency of data;
Async: Save the data in the memory buffer first, and write to disk if necessary;
Wdelay: Check if there is a related write operation, if any, then perform these writes together, which can improve the efficiency (default setting);
No_wdelay: If a write operation is performed immediately, it should be used in conjunction with sync;
Subtree: If the output directory is a subdirectory, the NFS server will check the permissions of its parent directory (default setting);
No_subtree: Even if the output directory is a subdirectory, the NFS server does not check the permissions of its parent directory, which can improve efficiency;
Things that are caused by improper NFS configuration