Showmount

 < Day Day Up > 



Using rpcinfo, you might be able to find a vulnerable NFS rpc.statd application to exploit. But why go to all that trouble if the victim’s NFS is already misconfigured to begin with?

Some system administrators aren’t smart with the NFSs they export. Some will even unknowingly export their file systems with full read/write permissions, just waiting for a hacker on the Internet to discover them. The showmount command lets us see what file systems are available on a particular NFS server.

Implementation

This command shows all the currently mounted directories on the NFS server as well as the hostnames of the clients that have mounted them:

showmount -a hostname 

The -d flag is similar to -a, but it does not list the client hostnames:

showmount -d hostname

The most popular format of the command, this command shows the mount points that are exported and available for mounting over NFS:

showmount -e hostname

Sample Output

Here’s what happens when we run showmount –e originix:

Export list for 192.168.1.100: /     (everyone) /boot (everyone)

For the benefit of this example, we’ve carelessly exported all of our files so anyone in the world can mount our root and boot partitions. We can mount either of these exports to a local mount point on our system by issuing the command mount 192.168.1.100:/boot/path/to/remote-boot. This will map the directory /path/to/remote-boot on our system to the /boot directory on 192.168.1.100. Unfortunately, we won’t know if the access is read-only or read/write until we mount the share, but we’ve got access nonetheless. If we see a hostname or IP address in the output instead of "everyone," it might be a little trickier as we’d need to find a way to spoof that hostname or IP address.

Caution 

Be careful using NFS. If you carelessly export a drive to the world and give read/write access to all, anyone in the world who finds your export will be able to write whatever he wants to your drive and image a copy for himself. In almost all cases, exported file systems should never be mountable with read and write permissions without some kind of access control. NFS traffic should be blocked at the firewall to limit the number of people poking around your exports. If you really need the ability to share remote file systems across the Internet, AFS provides a great deal more security.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net