{"id":226,"date":"2025-01-26T00:00:00","date_gmt":"2025-01-25T23:00:00","guid":{"rendered":"https:\/\/kosokoking.com\/?p=226"},"modified":"2025-01-24T19:53:59","modified_gmt":"2025-01-24T18:53:59","slug":"unmasking-nfs-dns-recon-tactics-unveiled-now","status":"publish","type":"post","link":"https:\/\/kosokoking.com\/index.php\/security\/unmasking-nfs-dns-recon-tactics-unveiled-now\/","title":{"rendered":"Unmasking NFS & DNS: Recon Tactics Unveiled Now"},"content":{"rendered":"\n

When it comes to network reconnaissance and exploitation, two services often overlooked yet brimming with potential are Network File System (NFS)<\/strong> and Domain Name System (DNS)<\/strong>. Both are staples in many environments, yet they can be mis-configured in ways that expose sensitive data or provide footholds for attackers. Let us dissect a systematic approach to probing these services, complete with actionable insights and technical details.<\/p>\n\n\n\n

Unpacking NFS: Gaining Access to Shared Resources<\/strong><\/h2>\n\n\n\n

NFS is widely used for sharing files across systems in Unix\/Linux environments, but its improper configuration can lead to significant security risks. Here, we focus on how to enumerate and exploit an NFS share exposed on ports 2049 and 111.<\/p>\n\n\n\n

Step 1: Initial Enumeration<\/strong><\/h3>\n\n\n\n

Start by identifying the services running on the target system:<\/p>\n\n\n\n

sudo nmap 10.129.14.128 -p111,2049 -sV -sC<\/code><\/pre>\n\n\n\n
This command scans for open ports, probes service versions (-sV<\/code>), and runs default scripts (-sC<\/code>). If NFS is detected, you can dig deeper using specialised scripts:<\/p>\n\n\n\n
sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049<\/code><\/pre>\n\n\n\n
Step 2: Exported Shares<\/strong><\/h3>\n\n\n\n
Once NFS is confirmed as active, use showmount to list exported directories:<\/p>\n\n\n\n
showmount -e 10.129.14.128<\/code><\/pre>\n\n\n\n
This reveals which directories are shared and accessible.<\/p>\n\n\n\n
Step 3: Mounting the Share<\/strong><\/h3>\n\n\n\n
If an exported directory is identified, mount it locally for inspection:<\/p>\n\n\n\n
mkdir target-NFS<\/code><\/pre>\n\n\n\n
sudo mount -t nfs 10.129.14.128:\/ .\/target-NFS\/ -o nolock<\/code><\/pre>\n\n\n\n
cd target-NFS<\/code><\/pre>\n\n\n\n
The nolock option bypasses file-locking issues that might arise during the mount process.<\/p>\n\n\n\n
Step 4: Exploring the Share<\/strong><\/h3>\n\n\n\n
Once mounted, analyse the directory structure and permissions:<\/p>\n\n\n\n
tree .<\/code><\/pre>\n\n\n\n
ls -l mnt\/nfs\/<\/code><\/pre>\n\n\n\n
ls -n mnt\/nfs\/<\/code><\/pre>\n\n\n\n
Look for sensitive files or directories that could provide valuable information or further access.<\/p>\n\n\n\n
Step 5: Clean Up<\/strong><\/h3>\n\n\n\n
After completing your reconnaissance or exploitation, unmount the share to avoid leaving traces.<\/p>\n\n\n\n
sudo umount .\/target-NFS<\/code><\/pre>\n\n\n\n
DNS Reconnaissance: Mapping the Network<\/strong><\/h2>\n\n\n\n
DNS is the cornerstone of modern networks, translating human-readable domain names into IP addresses. However, misconfigurations like open zone transfers can expose a treasure trove of information about internal infrastructure.<\/p>\n\n\n\n
Step 1: Configuration Files<\/strong><\/h3>\n\n\n\n
Start by reviewing DNS configuration files if you have access:<\/p>\n\n\n\n
cat \/etc\/bind\/named.conf.local<\/code><\/pre>\n\n\n\n
cat \/etc\/bind\/db.domain.com<\/code><\/pre>\n\n\n\n
These files often reveal domain names, sub-domains, and other critical details.<\/p>\n\n\n\n
Step 2: Basic Queries<\/strong><\/h3>\n\n\n\n
Use\u00a0dig<\/code>\u00a0to query specific records from the DNS server:<\/p>\n\n\n\n
dig ns inlanefreight.htb @10.129.14.128<\/code><\/pre>\n\n\n\n
dig CH TXT version.bind @10.129.120.85<\/code><\/pre>\n\n\n\n
The first command retrieves name server (NS) records, while the second attempts to extract the DNS server\u2019s version\u2014a potential vulnerability indicator.<\/p>\n\n\n\n
Step 3: Zone Transfers<\/strong><\/h3>\n\n\n\n
A mis-configured DNS server may allow unauthorised zone transfers, exposing all its records:<\/p>\n\n\n\n
dig axfr inlanefreight.htb @10.129.14.128<\/code><\/pre>\n\n\n\n
dig axfr internal.inlanefreight.htb @10.129.14.128<\/code><\/pre>\n\n\n\n
Zone transfers provide a complete view of DNS records, including internal domains and sub-domains.<\/p>\n\n\n\n
Step 4: Sub-domain Enumeration<\/strong><\/h3>\n\n\n\n
Leverage tools like dnsenum to automate Sub-domain discovery:<\/p>\n\n\n\n
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 \\<\/code><\/pre>\n\n\n\n
-o subdomains.txt \\<\/code><\/pre>\n\n\n\n
-f \/opt\/useful\/SecLists\/Discovery\/DNS\/subdomains-top1million-110000.txt inlanefreight.htb<\/code><\/pre>\n\n\n\n
This approach systematically probes for sub-domains using a wordlist.<\/p>\n\n\n\n
Conclusion: The Devil\u2019s in the Details<\/strong><\/h2>\n\n\n\n
Both NFS and DNS offer indispensable functionality in networked environments but can become liabilities when improperly secured. By methodically enumerating these services using tools like\u00a0nmap,\u00a0showmount,\u00a0dig, and\u00a0dnsenum, you can uncover vulnerabilities that might otherwise go unnoticed.<\/p>\n\n\n\n
Whether you are a penetration tester or a system administrator shoring up defences, understanding these techniques is critical for staying ahead of potential attackers. Remember, security is only as strong as its weakest link and with services like NFS and DNS, those links are often hiding in plain sight.<\/p>\n\n\n\n
    <\/ol>\n","protected":false},"excerpt":{"rendered":"
    Discover how to securely mount NFS shares, conduct DNS zone transfers, and uncover subdomains in plain sight. Strengthen your defense now. Boost security now!!!<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[177,174,176,52,173,95,162,178,172,175],"class_list":["post-226","post","type-post","status-publish","format-standard","hentry","category-security","tag-cybersecurity-best-practices","tag-dns","tag-enumeration","tag-network-security","tag-nfs","tag-nmap","tag-penetration-testing","tag-subdomain-enumeration","tag-vulnerability-assessment","tag-zone-transfers"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/comments?post=226"}],"version-history":[{"count":1,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/226\/revisions"}],"predecessor-version":[{"id":227,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/226\/revisions\/227"}],"wp:attachment":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/media?parent=226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/categories?post=226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/tags?post=226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}