Alex Neff
@al3x-n3ff.bsky.social
Pentester | Maintainer of NetExec
If you would like to read more, check out the original research:
www.hvs-consulting.de/en/nfs-secur...
github.com/hvs-consulti...
x.com/michael_eder...
4/4🧵
www.hvs-consulting.de/en/nfs-secur...
github.com/hvs-consulti...
x.com/michael_eder...
4/4🧵
NFS Security: Identifying and Exploiting Misconfigurations
Understand security features, misconfigurations and technical attacks on NFS shares. Explore tools to analyze NFS endpoints and abuse misconfigurations.
www.hvs-consulting.de
March 3, 2025 at 6:01 PM
If you would like to read more, check out the original research:
www.hvs-consulting.de/en/nfs-secur...
github.com/hvs-consulti...
x.com/michael_eder...
4/4🧵
www.hvs-consulting.de/en/nfs-secur...
github.com/hvs-consulti...
x.com/michael_eder...
4/4🧵
Mitigation:
Turn on the option "subtree_check" for all of your exports! This will restrict NFS to the exported directories.
Details:
The escape to the root directory is possible due to how NFS file handles are created by the file system. Supported FS: ext, xfs, btrfs
3/4🧵
Turn on the option "subtree_check" for all of your exports! This will restrict NFS to the exported directories.
Details:
The escape to the root directory is possible due to how NFS file handles are created by the file system. Supported FS: ext, xfs, btrfs
3/4🧵
March 3, 2025 at 6:01 PM
Mitigation:
Turn on the option "subtree_check" for all of your exports! This will restrict NFS to the exported directories.
Details:
The escape to the root directory is possible due to how NFS file handles are created by the file system. Supported FS: ext, xfs, btrfs
3/4🧵
Turn on the option "subtree_check" for all of your exports! This will restrict NFS to the exported directories.
Details:
The escape to the root directory is possible due to how NFS file handles are created by the file system. Supported FS: ext, xfs, btrfs
3/4🧵
If one of the exposed exports also allows read&write and has root squash disabled, you can download&replace nearly every file on the system.
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
March 3, 2025 at 6:01 PM
If one of the exposed exports also allows read&write and has root squash disabled, you can download&replace nearly every file on the system.
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
If you want to learn more, I highly recommend the white paper from @SecuraBV: www.secura.com/uploads/whit...
And the original implementation they did at: github.com/SecuraBV/Tim...
3/3🧵
And the original implementation they did at: github.com/SecuraBV/Tim...
3/3🧵
www.secura.com
December 1, 2024 at 4:16 PM
If you want to learn more, I highly recommend the white paper from @SecuraBV: www.secura.com/uploads/whit...
And the original implementation they did at: github.com/SecuraBV/Tim...
3/3🧵
And the original implementation they did at: github.com/SecuraBV/Tim...
3/3🧵
In detail:
To prevent attackers from tampering with the system clock, the DC generates a MAC to authenticate NTP responses. The MAC has the form MD5(MD4(computer-pwd) || NTP-response), where the NTP-response acts as a salt. This hash can then be cracked using hashcat.
2/3🧵
To prevent attackers from tampering with the system clock, the DC generates a MAC to authenticate NTP responses. The MAC has the form MD5(MD4(computer-pwd) || NTP-response), where the NTP-response acts as a salt. This hash can then be cracked using hashcat.
2/3🧵
December 1, 2024 at 4:16 PM
In detail:
To prevent attackers from tampering with the system clock, the DC generates a MAC to authenticate NTP responses. The MAC has the form MD5(MD4(computer-pwd) || NTP-response), where the NTP-response acts as a salt. This hash can then be cracked using hashcat.
2/3🧵
To prevent attackers from tampering with the system clock, the DC generates a MAC to authenticate NTP responses. The MAC has the form MD5(MD4(computer-pwd) || NTP-response), where the NTP-response acts as a salt. This hash can then be cracked using hashcat.
2/3🧵