Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NFS scripts fail to detect unrestricted NFS shares #1469

Open
cnotin opened this Issue Feb 11, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@cnotin
Copy link

cnotin commented Feb 11, 2019

I've scanned several servers with unrestricted NFS shares exposed. Most of the time I get interesting results (unrestricted shares) from nmap but more and more I notice that nmap fails to detect some shares (= empty result).
Here is an example of the command I often use:
nmap -p 111 --open --script=nfs-showmount,nfs-ls <ip>

Contrary to showmount -e <ip>, or a Nessus scan, which correctly list the available shares.

I've captured the network trafic in both cases.
The sequence I see is:

  • nmap:
  1. RPC V2 DUMP call to TCP/111
  2. Server doesn't answer
  3. Nmap retry a second time
  • showmount:
  1. RPC V4 GETADDR call for program "MOUNT" to TCP/111
  2. Server answers
  3. Same with V3
  4. RPC V2 GETPORT call for program "MOUNT"
  5. Server answers with the port
  6. RPC V3 EXPORT call for program "MOUNT" to the port obtained just before

I don't have a code contribution yet but I wanted to raise this issue which can create false negatives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.