Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts

[Patrik Karlsson <patrik () cqure net>]

On 13 jun 2010, at 03.27, Djalal Harouni wrote:

> Hi Richard,
>
> First sorry for the delay, I've merged the script you can update your
> svn copy (r18083 and r18084).
>
> The new output of the script:
> -- PORT    STATE SERVICE
> -- 111/tcp open  rpcbind
> -- | nfs-ls:
> -- |   Arguments:
> -- |     maxfiles: 10 (file listing output limited)  time: mtime
> -- |
> -- |      PERMISSION  UID   GID   SIZE     DATE              FILENAME
> -- |
> -- | NFS: drwxrwxrwx  0     0     4096     2010-06-12 12:55  /tmp
> -- |      srwxr-xr-x  0     0     0        2010-06-12 11:34  wpa_ctrl_22880-1
> -- |
> -- | NFS: drwxr-xr-x  1000  100   4096     2010-06-11 22:31  /home/storage/backup
> -- |      -rw-r--r--  1000  1002  0        2010-06-10 08:34  filetest
> -- |      drwx------  1000  100   16384    2010-02-05 17:05  lost+found
> -- |      drwxrwxr-x  1000  100   4096     2010-06-11 19:08  net_packet
> -- |      -rw-r--r--  0     0     5        2010-06-10 11:32  rootfile
> -- |_     lrwxrwxrwx  1000  1002  8        2010-06-10 08:34  symlink
>
> Changes:
> o Default time is mtime (modified time)
> o A new argument: nfs-ls.human to show the files size in the human
> readable format.
> o The output is formated in tables thx to the tab library.

I just did a quick test of the script and it looks great! Nice work!

> On 2010-06-10 14:23:54 -0500, Richard Miles wrote:
> > Hello
> >
> > Very interesting this plugin. Is it part of the safe plugin? I mean,
> > if I just call nmap -sC ip it will be executed?
> > From the nmap page the -sC is equivalent to --script=default (default
> category), this script is in the "discovery" and "safe" categories but
> not in the default one, because:
> - Verbosity: it can produce lot of output.
> - Intrusiveness: trying to enumerate NFS shares for each host on the
>  network can be seen as an attack.
> I think that this script should not be in the default category, it can
> use lot of NFS procedures.
>
> > Talking about NFS I have a security doubt for a long time, maybe
> > someone can clarify it for me.
> >
> > On NFS, if there is a exported directory to everyone we can access it,
> > and if there are files of other users we can use this trick to bypass
> > it
> >
> > http://www.vulnerabilityassessment.co.uk/nfs.htm
> Well, first you need to know that NFS has some security options.
> It's true that NFS Server bases it's acls on the uid and gid provided by
> the client and this is the point of NFS, and yes the "su - user" trick works.
>
> Here are some NFS options:
> -  ro (readonly): even if it is the same uid on the server/client the file system
> will be exported readonly and we can write to it.
> -  root_squash: to map uid 0 (root) of the client to the anonymous uid on the
>   server.
> -  all_squash: to map every uid to the nobody uid on the server.
> - anonuid, anongid: to specify the uid/gid of the anonymous user, but in
>  another hand you are allowing read/write access to this uid/gid.
>
> > But in a few cases, you see a exported directory to everyone and you
> > mount it, but when you try list (ls) it says "access denied". There is
> > something that can be done in this cases to bypass this restriction?
> perhaps you must check your uid/gid (client) and the permissions of the
> directory in the server that you want to list.
>
> You can check the exports manual: "man exports"
>
> Feedbacks are always welcome, thx.

If the server is running NFSv4 with kerberos authentication you would see this behavior. In those cases bypassing is 
not as simple.
In addition to the options in the export file, access to portmap, nfs and it's subprograms can be blocked in the 
hosts.deny file.

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/