Job For Nfs Server.service Canceled.
We achieve web development outcomes for small and large businesses all over the world using Drupal, Silex and Symfony2. Nfs-kernel-server.serviceJob for nfs-server.service canceled The way I solve it was two step.
Recently while performing a network-level penetration testing activity for one of the clients, I came across a vulnerability which was used to compromise almost all the systems in scope. In this article, we will learn how to exploit a weakly configured NFS share to gain access to remote host followed by the privilege escalation.
Network File System (NFS): Network File System allows remote hosts to mount the systems/ directories over a network. An NFS server can export directory that can be mounted on a remote Linux machine. This allows the user to share the data centrally to all the machines in the network.
For the demo purpose, I am using Metasploitable in this article. Download the Metasploitable VM from http://sourceforge.net/projects/metasploitable/files/Metasploitable2/metasploitable-linux-2.0.0.zip/download
Set it up and run the VM. Enter “msfadmin” as username and password when prompt for login. Note the IP address of hosted machine by running “ifconfig” command. To simulate the exact scenario, I have modified the export directory from “/” (root) to “/home” under “/etc/exports” file. This file contains the configuration for NFS. After doing the changes, run the following command to restart the NFS service:
sudo /etc/init.d/nfs-kernel-server restart
Now, let’s start our Kali Linux machine to perform the penetration testing.
Step 1: Start with nmap service fingerprint scan on the IP address of the hosted machine:
nmap -sV 192.168.100.25
Step 2: The port scan result shows the port 2049 is open and nfs service is running on it.
Step 3: Check if any share is available for mount using showmount tool in Kali:
showmount -e 192.168.100.25
The “home” directory is mountable. Note the asterisk sign in front of /home, which means every machine on the network is allowed to mount the /home folder of this machine. If you see any IP address or IP range defined in front of the directory, that means only the machine with that specific IP or range is allowed to mount the directory which is a good security practice.
Step 4: Create a new directory under tmp folder of Kali and run the following command to mount the home directory on this newly created directory.
mkdir /tmp/infosec
mount -t nfs 192.168.100.25:/home /tmp/infosec
mount: To mount the folder/directory
-t: Specifies the type of file system that performs the logical mount request. The NFS parameter must be used.
192.168.100.25:/home: home folder of IP 192.168.100.25 to mount
/tmp/infosec: The remote home folder to be mount on local /tmp/infosec folder
Once the command is executed, the following command can be used to check the directory mount:
df -k
Step 5: Navigate to /tmp/infosec directory and list the content. The content listed are from /home folder of the remote host.
Step 6: Navigate to any user directory and locate the .ssh folder. This folder contains the public, private and authorized key for the SSH login for the specific user.
Step 7: The approach here will be to create own SSH keys and append the newly created public key into the authorized_key of the victim user. Then log into the remote host with the victim user and own password.
To create an SSH key pair, we will use the ssh-keygen command on our attacking machine, i.e., Kali Linux. Follow the steps on screen, provide the file path and passphrase. We can keep the passphrase blank by simply hitting the “Enter” button of the keyboard.
Once the command is completed, navigate to the path of the file which you have provided above and check the content of the public file.
Step 8: Navigate to /tmp/infosec/msfadmin/.ssh folder and append the newly created public key into the authorized_key of the msfadmin user.
echo
<content of newly generated public key>
>> authorized_keys
Step 9: SSH into the remote host from the Kali machine with user msfadmin and provide the path to the private key.
ssh -i infosec_rsa msfadmin@10.0.50.58
-i path to private key
msfadmin@10.0.50.58: username msfadmin and host IP is 10.0.50.58 (IP is changed due to the VM restart)
Since we have created a key pair without a password and modified the “authorized_keys” file of the msfadmin user, we are logged into the system without password.
Mobile Device Penetration Testing
Step 10: Now we have gained a low privilege user access to the target machine, and our objective is to escalate our privilege to the root user. Though there are multiple ways to escalate the privileges in Linux like exploiting a kernel level unpatched vulnerability, weak security configurations, weak permission on files owned by the root user, the password stored in the file system, password reuse, etc. In this article, we will see how a weakly configured NFS can lead us to the elevated privileges.
Step 11: Create a C file as given below and compile it using GCC on a Kali machine.
gcc root.c -o rootme (This will compile the C file to executable binary)
Step 12: Copy the compiled binary to the msfadmin directory in NFS share. Set the SUID bit using the following command:
chmod 4755 rootme
Why to set the suid bit on this file? When a file with suid bit set is run by any user, the process will execute with the rights of the owner of the file.
Step 13: List the content of msfadmin directory by using ls -al command. Observe the “rootme” file is owned by the root user.
Step 14: From the SSH session, run the “rootme” binary file. Since the file is owned by the root user and the suid bit is set, the command inside it will give the shell with root privilege.
From here onward we have the highest privilege on the machine, and we can start with our post exploitation steps like dumping and cracking the hashes, enumerating the database, reading sensitive files owned by other users, use this machine as a pivot point to recon other machines and network.
Now we will understand why the root owns the file uploaded on the mounted share on the remote machine. Let’s have a look at NFS configuration by reading the content of /etc/exports file.
/home: home directory is mountable
*: Every machine can mount the NFS share
rw: read and write access to the volume
no_root_squash: This allows the client with root privilege to operate the mounted share as root. Due to this, the copied binary file is owned by the root user on the remote machine.
sync: Sync confirms requests to the shared directory only once the changes have been committed.
no_subtree_check: When a shared directory is the subdirectory of a larger file system, NFS performs scans of every directory above it, to verify its permissions and details.
Let’s modify the content of “/etc/exports” file and change the “no_root_squash” to “root_squash” as shown below:
Restart the NFS service using the following command:
sudo /etc/init.d/nfs-kernel-server restart
Repeat the steps given on point number 4 to mount the NFS share. Once mounted, try to upload/create/move/copy a file to the exported share. You will observe two things:
1. The user is not allowed to create a file on the directory owned by another user. (refer the first highlighted command in the below screenshot).
2. We copied a binary file on the “/tmp” directory which has 777 (read, write, and execute) permission, the file gets copied in the folder with the privilege of user “nobody” as shown below.
If we try executing the same executable on the remote machine now, the privilege will not be escalated as the file is being run as “nobody” user.
NFS shares can be commonly found open on the internal Linux based servers or workstations. It is important to not to use the service with default settings. This may lead to the complete system compromise. The attacker with root privilege on the compromised machine may use the machine as a pivot point to attack further into the network leading to big compromise. Settings like restricting the IP addresses which can mount the exposed shares and using the “root_squash” feature can narrow down the attack surface to a much extent on NFS service.
-->Services for NFS model
The following sections provide information about the Microsoft Services for Network File System (NFS) model for client-server communication. Since NFS v2 and NFS v3 are still the most widely deployed versions of the protocol, all of the registry keys except for MaxConcurrentConnectionsPerIp apply to NFS v2 and NFS v3 only.
No registry tuning is required for NFS v4.1 protocol.
Service for NFS model overview
Microsoft Services for NFS provides a file-sharing solution for enterprises that have a mixed Windows and UNIX environment. This communication model consists of client computers and a server. Applications on the client request files that are located on the server through the redirector (Rdbss.sys) and NFS mini-redirector (Nfsrdr.sys). The mini-redirector uses the NFS protocol to send its request through TCP/IP. The server receives multiple requests from the clients through TCP/IP and routes the requests to the local file system (Ntfs.sys), which accesses the storage stack.
The following figure shows the communication model for NFS.
Tuning parameters for NFS file servers
The following REG_DWORD registry settings can affect the performance of NFS file servers:
OptimalReads
The default is 0. This parameter determines whether files are opened for FILE_RANDOM_ACCESS or for FILE_SEQUENTIAL_ONLY, depending on the workload I/O characteristics. Set this value to 1 to force files to be opened for FILE_RANDOM_ACCESS. FILE_RANDOM_ACCESS prevents the file system and cache manager from prefetching.
Note
This setting must be carefully evaluated because it may have potential impact on system file cache grow.
RdWrHandleLifeTime
The default is 5. This parameter controls the lifetime of an NFS cache entry in the file handle cache. The parameter refers to cache entries that have an associated open NTFS file handle. Actual lifetime is approximately equal to RdWrHandleLifeTime multiplied by RdWrThreadSleepTime. The minimum is 1 and the maximum is 60.
RdWrNfsHandleLifeTime
The default is 5. This parameter controls the lifetime of an NFS cache entry in the file handle cache. The parameter refers to cache entries that do not have an associated open NTFS file handle. Services for NFS uses these cache entries to store file attributes for a file without keeping an open handle with the file system. Actual lifetime is approximately equal to RdWrNfsHandleLifeTime multiplied by RdWrThreadSleepTime. The minimum is 1 and the maximum is 60.
RdWrNfsReadHandlesLifeTime
The default is 5. This parameter controls the lifetime of an NFS read cache entry in the file handle cache. Actual lifetime is approximately equal to RdWrNfsReadHandlesLifeTime multiplied by RdWrThreadSleepTime. The minimum is 1 and the maximum is 60.
RdWrThreadSleepTime
The default is 5. This parameter controls the wait interval before running the cleanup thread on the file handle cache. The value is in ticks, and it is non-deterministic. A tick is equivalent to approximately 100 nanoseconds. The minimum is 1 and the maximum is 60.
FileHandleCacheSizeinMB
The default is 4. This parameter specifies the maximum memory to be consumed by file handle cache entries. The minimum is 1 and the maximum is 1*1024*1024*1024 (1073741824).
LockFileHandleCacheInMemory
The default is 0. This parameter specifies whether the physical pages that are allocated for the cache size specified by FileHandleCacheSizeInMB are locked in memory. Setting this value to 1 enables this activity. Pages are locked in memory (not paged to disk), which improves the performance of resolving file handles, but reduces the memory that is available to applications.
MaxIcbNfsReadHandlesCacheSize
All Linux fakeraid is notoriously unreliable, the manufacturers put almost zero effort into the drivers, and it's a crappy flawed concept anyway. If you want RAID, just use the controller as a regular AHCI disk controller and use Linux software RAID (called mdadm). Windows Linux Windows Mac Windows All Windows Unix file size: 175 KB filename: 3132r5x861550logo.zip CATEGORY: Other Drivers & Tools. This CRASH ON REMOVAL was previously fixed by reinstalling the SiI31321.2.5.0 drivers after the MacOS upgrade. But with MacOS Sierra 10.12.1 this hasn’t cured this CRASH when either: selecting “ Power Off Card ” the SI3132 menu at the top of my Mac’s display to before removing this eSATA Xpress card. Download Silicon Image SIL-3132 RAID Controller Driver 1.5.14.1 (Other Drivers & Tools). Sil3132 linux drivers for mac. Windows Linux Windows Mac Windows All Windows Unix file size: 78 KB filename: BIO-003132-x107313.zip CATEGORY: BIOS.
The default is 64. This parameter specifies the maximum number of handles per volume for the read data cache. Read cache entries are created only on systems that have more than 1 GB of memory. The minimum is 0 and the maximum is 0xFFFFFFFF.
HandleSigningEnabled
The default is 1. This parameter controls whether handles that are given out by NFS File Server are signed cryptographically. Setting it to 0 disables handle signing.
RdWrNfsDeferredWritesFlushDelay
The default is 60. This parameter is a soft timeout that controls the duration of NFS V3 UNSTABLE Write data caching. The minimum is 1, and the maximum is 600. Actual lifetime is approximately equal to RdWrNfsDeferredWritesFlushDelay multiplied by RdWrThreadSleepTime.
CacheAddFromCreateAndMkDir
The default is 1 (enabled). This parameter controls whether handles that are opened during NFS V2 and V3 CREATE and MKDIR RPC procedure handlers are retained in the file handle cache. Set this value to 0 to disable adding entries to the cache in CREATE and MKDIR code paths.
AdditionalDelayedWorkerThreads
Increases the number of delayed worker threads that are created for the specified work queue. Delayed worker threads process work items that are not considered time-critical and that can have their memory stack paged out while waiting for work items. An insufficient number of threads reduces the rate at which work items are serviced; a value that is too high consumes system resources unnecessarily.
NtfsDisable8dot3NameCreation
The default in Windows Server 2012 and Windows Server 2012 R2 is 2. In releases prior to Windows Server 2012, the default is 0. This parameter determines whether NTFS generates a short name in the 8dot3 (MSDOS) naming convention for long file names and for file names that contain characters from the extended character set. If the value of this entry is 0, files can have two names: the name that the user specifies and the short name that NTFS generates. If the user-specified name follows the 8dot3 naming convention, NTFS does not generate a short name. A value of 2 means that this parameter can be configured per volume.
Note
The system volume has 8dot3 enabled by default. All other volumes in Windows Server 2012 and Windows Server 2012 R2 have 8dot3 disabled by default. Changing this value does not change the contents of a file, but it avoids the short-name attribute creation for the file, which also changes how NTFS displays and manages the file. For most file servers, the recommended setting is 1 (disabled).
NtfsDisableLastAccessUpdate
The default is 1. This system-global switch reduces disk I/O load and latencies by disabling the updating of the date and time stamp for the last file or directory access.
MaxConcurrentConnectionsPerIp
The default value of the MaxConcurrentConnectionsPerIp parameter is 16. You can increase this value up to a maximum of 8192 to increase the number of connections per IP address.