NFS Server Enumeration (Port 2049)


NFS server enumeration

Greetings readers! I am back with a fresh network-sec blog. In this article, I'll teach you the basic methodology to enumerate
Port 2049, i.e NFS. As a pentester, you'll often encounter misconfigured SMB and NFS servers, and thus it is essential to know how to enumerate them. For this post, we'll be focusing on NFS, which is a client/server system that allows users to access files over a network.


  • Introduction - NFS
  • Discovery
  • Listing The Shares
  • Mounting The Shares
  • More Enumeration!
  • EndNote

Introduction To NFS

NFS; or Network File System is a distributed File System Protocol, which was developed by Sun Microsystems in the year 1984. It allows a user on a client computer to access files over a computer network much like local storage is accessed.

NFS is designed for sharing files and folders between Linux/Unix systems. It allows you to mount your local file system over a network & remote hosts to interact with them as they are mounted locally on the same system.
NFS serves essentially the same purpose as SMB (Server Message Block).

Now that we have a basic understanding of what NFS is and how it works, we can proceed to enumerate it.

Discovering NFS Shares

Like always, the party will begin with a nmap scan, to discover all open ports and prepare an approach to enumerate and attack accordingly.

nmap -sV -Pn -T4 <TARGET_IP>

nfs server enumeration

Listing NFS Shares

Now that we have confirmed that a network file system is up and running, the next step is to find and list out all mountable shares on it. To achieve this purpose, we'll be utilizing the showmount utility in kali linux.

NOTE: If not pre-installed, you can install it with the following command (on a Debian based distro):

apt-get install nfs-common

Use the following command to list all mountable shares:

showmount -e <TARGET_IP>

NFS sever enumeration

The asterisk sign (*) indicates that everyone on the same network can access and mount this share.
If, however, you get a list of IP addresses or a CIDR range followed by the name of the share, that means only the device with that specific IP or range will have access to mount it.


port 2049 enumeration

Mounting The NFS Shares

Once we know what shares are available on the NFS, we can mount them onto our local system and enumerate them further.
To mount the shares, first, we need to make a directory where we will mount them.

mkdir <local_folder>

With this done, we'll mount the NFS share remotely into our machine with the following command:

mount -t nfs <IP>:<remote_folder> <local_folder>

NFS server enumeration

Now we've successfully mounted the share in our system, which can be accessed by navigating to the directory where we've mounted it.

Enumerating The Mounted Shares 

Time to enumerate more! Lets navigate around and see what we have found inside this share.

port 2049 enumeration

In this instance we have found the entire file system of the victim machine inside this share; which can be utilized in multiple ways to create an attack vector. One great example is to locate the .ssh folder. This folder contains the public and private SSH authentication keys. You can generate your own SSH key and append it into the authorized_key of the victim machine and then login via SSH and your own password.


That's all for this post, I assume you've learnt something new. If you encountered errors or ran into some trouble while following along, feel free to reach me out on Twitter, might as well follow me.

P.S comments are always welcomed!

Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !