File sharing services like SMB (Server Message Block) and NFS (Network File System) are common in corporate environments. SMB is the standard for Windows networks, while NFS dominates in Linux/Unix environments. When misconfigured, these services can expose sensitive files, credentials, and even allow remote code execution. In this lesson, we will learn to enumerate both services thoroughly.
SMB is the protocol behind Windows file sharing, printer sharing, and inter-process communication. It operates on port 445 (direct SMB) and historically on port 139 (NetBIOS over TCP). Samba is the Linux implementation of SMB, allowing Linux servers to participate in Windows networks.
SMB shares are one of the most common sources of sensitive data exposure in penetration tests. Shares may contain backup files, user documents, configuration files, and even password files — often accessible without authentication or with easily guessed credentials.
smbclient is a command-line tool that provides an interactive FTP-like interface for accessing SMB shares. It can also list available shares without connecting to them.
The -N flag forces a null session (no password). We discovered four shares: public, confidential, admin, and the default print$ and IPC$ shares. The share names themselves are revealing — 'confidential' and 'admin' are clearly interesting targets.
We connected to the public share and found several files. The get command downloads files to our local machine. Let us also check the confidential share.
⚠️ The 'confidential' share is accessible without any authentication and contains a file called passwords_backup.txt. This is a critical security finding — sensitive data is exposed to anyone on the network.
enum4linux is a powerful Perl script that automates SMB enumeration. It extracts user lists, group memberships, password policies, share information, and more — all through SMB protocol queries.
enum4linux delivered a wealth of intelligence: three user accounts (john, sarah, admin), weak password policy (minimum 5 characters, no complexity requirements, no lockout threshold), and confirmed that all shares including 'admin' are accessible via null session. The lack of account lockout means brute-force attacks against these accounts are feasible.
NFS (Network File System) is the standard file sharing protocol for Linux/Unix environments. Unlike SMB, NFS traditionally relies on host-based authentication rather than user-based authentication, which can lead to significant misconfigurations. NFS exports that are accessible to the entire network are a common finding.
The showmount command queries the NFS server to list all exported file systems. This is the NFS equivalent of listing SMB shares.
⚠️ The /tmp export is accessible to 0.0.0.0/0 — meaning anyone on the internet can mount it. The /home/john export exposes a user's home directory to the entire subnet. Both are serious misconfigurations.
Once we know the available exports, we can mount them locally and browse their contents just like any other directory.
We have full read access to john's home directory. The .ssh directory is particularly interesting — it may contain private SSH keys.
We extracted john's private SSH key from an NFS-exported home directory. With this key, we can authenticate as john on any server where his public key is authorized. This is a textbook privilege escalation path: NFS misconfiguration → file access → credential theft → lateral movement.
💡 Always check NFS exports for world-writable directories. If you find one, you can place files (like SUID binaries or SSH keys) that may be executed or used by other users on the system.
Nmap includes NSE scripts specifically for NFS enumeration that can automate the discovery of exports and their permissions.
The Nmap scripts confirmed all exports and revealed that /var/backups contains a database backup (db_backup_20240114.sql.gz) and a configuration backup (config_backup.tar.gz). Combined with the world-writable /tmp export, this target has multiple critical NFS misconfigurations.
Verify exercises to earn ★ 150 XP and unlock next lab level.