Dis­plays all avail­able net­work shares:

showmount -e $target

Nor­mal mount

mount -t nfs $target:/home /mnt

Mount­ing with nfspy — with the hide option, it mounts and unmounts for the serv­er so the vic­tim can­not see the new con­nec­tion via showmount.

nfspy -o server=192.168.1.124:/home,hide,allow_other,ro,intr /mnt

Mount via SSH

ssh -N -L 3049:localhost:2049 user@hostname
mount -t nfs -o port=3049 -o proto=tcp localhost:/home /mnt

Notes

• If you could mount a share but don’t have access to files, cre­ate on the host sys­tem an user or a gid and access with this user. 
  • If this not direct­ly works, try to mount in anoth­er NFS ver­sion (here is the expla­na­tion), e.g.

  • # mount -t nfs -o vers=3 $target:/home /mnt

• Attack idea:
  • Access a NFS share and add a SUID bit.
  • On the vic­tim, access this pro­gram / file to get root! 
• NFS2 does­n’t sup­port authen­ti­ca­tion! Try vers=2 !
• Behind prox­y­chains?
  • Have a look to this arti­cle in com­bi­na­tion with portmap!

Links

• NFS hack­ing
• Exploit­ing NFS