When it comes to network reconnaissance and exploitation, two services often overlooked yet brimming with potential are Network File System (NFS) and Domain Name System (DNS). Both are staples in many environments, yet they can be mis-configured in ways that expose sensitive data or provide footholds for attackers. Let us dissect a systematic approach to probing these services, complete with actionable insights and technical details.

Unpacking NFS: Gaining Access to Shared Resources

NFS is widely used for sharing files across systems in Unix/Linux environments, but its improper configuration can lead to significant security risks. Here, we focus on how to enumerate and exploit an NFS share exposed on ports 2049 and 111.

Step 1: Initial Enumeration

Start by identifying the services running on the target system:

sudo nmap 10.129.14.128 -p111,2049 -sV -sC

This command scans for open ports, probes service versions (-sV), and runs default scripts (-sC). If NFS is detected, you can dig deeper using specialised scripts:

sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049

Step 2: Exported Shares

Once NFS is confirmed as active, use showmount to list exported directories:

showmount -e 10.129.14.128

This reveals which directories are shared and accessible.

Step 3: Mounting the Share

If an exported directory is identified, mount it locally for inspection:

mkdir target-NFS

sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock

cd target-NFS

The nolock option bypasses file-locking issues that might arise during the mount process.

Step 4: Exploring the Share

Once mounted, analyse the directory structure and permissions:

tree .

ls -l mnt/nfs/

ls -n mnt/nfs/

Look for sensitive files or directories that could provide valuable information or further access.

Step 5: Clean Up

After completing your reconnaissance or exploitation, unmount the share to avoid leaving traces.

sudo umount ./target-NFS

DNS Reconnaissance: Mapping the Network

DNS is the cornerstone of modern networks, translating human-readable domain names into IP addresses. However, misconfigurations like open zone transfers can expose a treasure trove of information about internal infrastructure.

Step 1: Configuration Files

Start by reviewing DNS configuration files if you have access:

cat /etc/bind/named.conf.local

cat /etc/bind/db.domain.com

These files often reveal domain names, sub-domains, and other critical details.

Step 2: Basic Queries

Use dig to query specific records from the DNS server:

dig ns inlanefreight.htb @10.129.14.128

dig CH TXT version.bind @10.129.120.85

The first command retrieves name server (NS) records, while the second attempts to extract the DNS server’s version—a potential vulnerability indicator.

Step 3: Zone Transfers

A mis-configured DNS server may allow unauthorised zone transfers, exposing all its records:

dig axfr inlanefreight.htb @10.129.14.128

dig axfr internal.inlanefreight.htb @10.129.14.128

Zone transfers provide a complete view of DNS records, including internal domains and sub-domains.

Step 4: Sub-domain Enumeration

Leverage tools like dnsenum to automate Sub-domain discovery:

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 \

-o subdomains.txt \

-f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

This approach systematically probes for sub-domains using a wordlist.

Conclusion: The Devil’s in the Details

Both NFS and DNS offer indispensable functionality in networked environments but can become liabilities when improperly secured. By methodically enumerating these services using tools like nmap, showmount, dig, and dnsenum, you can uncover vulnerabilities that might otherwise go unnoticed.

Whether you are a penetration tester or a system administrator shoring up defences, understanding these techniques is critical for staying ahead of potential attackers. Remember, security is only as strong as its weakest link and with services like NFS and DNS, those links are often hiding in plain sight.