NFS Enumeration using RPCScan and SuperEnum

Objectives: NFS Enumeration using RPCScan and SuperEnum

NFS Enumeration using RPCScan and SuperEnum – Full Notes

Lab: Perform NFS Enumeration using RPCScan and SuperEnum

1. Introduction

NFS Enumeration is the process of discovering and analyzing shared directories and services on systems that use the Network File System (NFS). NFS is commonly used in Linux and UNIX environments to allow multiple users and systems to share files over a network.

If NFS is misconfigured, sensitive files such as source code, documents, credentials, or backups may be accessible to unauthorized users. This lab teaches how attackers and penetration testers identify such weaknesses.

Scenario Context:

  • Organization: CodeStream Innovations
  • Security Firm: SecureProbe Analysts
  • Concern: Misconfigured NFS servers exposing proprietary source code and internal data

2. What is NFS (Network File System)?

NFS (Network File System) is a distributed file system protocol that allows users on a client computer to access files over a network as if they were stored locally.

NFS is commonly used for:

  • Sharing source code between developers
  • Centralized storage for teams
  • Backup and archive systems

Important NFS-related ports:

  • TCP/UDP 2049 – NFS service
  • TCP/UDP 111 – RPCBind / Portmapper
Real-Life Example:
NFS is like a shared office cabinet where all developers store and retrieve project files. If the cabinet is left unlocked, anyone in the building can access confidential documents.

3. What is RPC and Why is it Important?

RPC (Remote Procedure Call) allows programs to execute functions on another system remotely. NFS relies heavily on RPC services to function.

The RPCBind (Portmapper) service listens on port 111 and tells clients:

  • Which services are running
  • Which ports those services use

If RPC services are exposed, attackers can enumerate:

  • NFS shares
  • Mount services
  • Other internal services

4. Objectives of NFS Enumeration

  • Identify NFS-enabled systems
  • Discover shared directories (exports)
  • Check access permissions
  • Identify insecure configurations
  • Assess risk of data exposure

5. Information That Can Be Discovered

5.1 Exported Directories

These are folders shared by the NFS server to other systems.

Why it matters:

  • May contain sensitive source code
  • May allow read or write access
Example:
A shared directory named /projects/source_code could contain the entire company’s intellectual property.

5.2 Client Access Rules

NFS exports may allow access to:

  • Specific IP addresses
  • Entire subnets
  • Everyone (very dangerous)
Real-Life Example:
Allowing * (everyone) access is like letting anyone on the street enter your office storage room.

5.3 Read/Write Permissions

Some shares allow full read and write access.

Risks:

  • Source code modification
  • Malware injection
  • Backdoor insertion

5.4 UID and GID Trust Issues

NFS trusts user IDs (UIDs) instead of usernames. Attackers can create local users with matching UIDs to gain access.

Real-Life Example:
If two people share the same ID card number, security cannot distinguish between them.

6. Tools Used in This Lab

6.1 RPCScan

RPCScan is used to enumerate RPC services running on a target system. 

rpcscan 
rpcscan 192.168.1.100

What it reveals:

  • RPC services
  • Service versions
  • Associated ports

6.2 SuperEnum

SuperEnum is an advanced enumeration tool that automates discovery of:

  • NFS exports
  • RPC services
  • Mount points
superenum -t nfs -i 
superenum -t nfs -i 192.168.1.100

SuperEnum combines multiple enumeration techniques, making it efficient for large environments.

7. Sample Enumeration Workflow

Step 1: Identify RPC Services

rpcscan 192.168.1.100

Step 2: Identify NFS Exports

showmount -e 192.168.1.100

Step 3: Use SuperEnum for Full Enumeration

superenum -t nfs -i 192.168.1.100

Step 4: Mount Discovered Share (If Authorized)

mount -t nfs 192.168.1.100:/shared /mnt/nfs

8. Importance of NFS Enumeration in Cybersecurity

  • Reveals exposed intellectual property
  • Prevents data leaks
  • Protects source code and documentation
  • Helps organizations comply with security standards

9. Best Practices for Securing NFS

  • Restrict NFS access to specific IPs
  • Use read-only permissions where possible
  • Disable root access (no_root_squash)
  • Monitor NFS logs
  • Segment NFS servers from public networks

10. Conclusion

NFS Enumeration using RPCScan and SuperEnum is a critical skill for understanding file-sharing security in Linux environments. Misconfigured NFS servers can expose sensitive source code, documents, and credentials. By mastering this lab, students gain practical knowledge in identifying, assessing, and securing file-sharing infrastructure in real-world organizations.

This lab reinforces the importance of proper configuration, access control, and continuous monitoring of internal services.

Reference Book: N/A

Author name: SIR H.A.Mwala Work email: biasharaboraofficials@gmail.com
#MWALA_LEARN Powered by MwalaJS #https://mwalajs.biasharabora.com
#https://educenter.biasharabora.com

:: 1::

β¬… ➑