BIPI
BIPI

NFS, SMB, and Misconfigured Mounts: Lateral Movement on Linux

Cybersecurity

Shared filesystems are still where Linux environments leak access. We cover NFS no_root_squash, world readable SMB shares, and the mount options that turn shared storage into shared shells.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 23, 2025 · 9 min read

#linux#nfs#smb#lateral-movement#pentesting

Shared filesystems are a credential

Once you can read or write another host's filesystem, you are functionally on that host. NFS and SMB are the two protocols that make this easy, and they remain badly configured in most enterprise networks.

Finding NFS exports

  • showmount -e target lists exports if the server allows it
  • nmap -p 111,2049 --script=nfs-ls,nfs-showmount,nfs-statfs target
  • rpcinfo -p target for the full portmapper view
  • Check /etc/exports on hosts you already control for clues to the network

no_root_squash, the gift

By default NFS maps remote root to nobody on the server, called root squashing. The no_root_squash export option turns this off. If you have root on a client and the export uses no_root_squash, you can write a SUID root binary to the share that the server will execute as root.

Exploitation flow

  1. mount -t nfs target:/export /mnt/nfs on an attacker controlled host
  2. Compile a small C program that calls setuid(0) and spawns a shell
  3. chmod 4755 the binary, ensure SUID bit is set
  4. When a user on the NFS server runs the binary, they get a root shell
  5. If you also have shell on the server, you become root by running it yourself

SMB and writable shares

  • enum4linux-ng target for a quick share and user inventory
  • smbclient -L //target -N for null session enumeration
  • smbmap -H target -u guest for permissions per share
  • Look for shares with READ, WRITE on guest or low privilege users
  • Backup, profiles, and software shares are frequent finds

Linux as SMB client

Linux clients mount SMB with cifs-utils. If the mount uses noperm or maps everything to a single uid, you can read files that should be protected on the server. Look in /etc/fstab and the output of mount for cifs entries.

Other risky mount options

  • nosuid missing on shared mounts lets dropped SUID binaries execute
  • noexec missing on /tmp or /var/tmp lets dropped binaries run
  • user_xattr enabled lets users set capabilities on shared files in some setups
  • fscache caching of credentials can expose other users data

Detection and hardening

  • Audit /etc/exports for no_root_squash and replace with all_squash plus anonuid
  • Mount all shared filesystems with nosuid,nodev,noexec where possible
  • Restrict NFS to specific client subnets, not 0.0.0.0/0
  • Enable Kerberos sec=krb5p for NFSv4 in sensitive environments
  • Disable SMBv1 and guest access on every Samba server
Half the lateral movement findings in enterprise Linux assessments come down to a checkbox in /etc/exports.

Closing thought

Network filesystems were designed in an era of trusted LANs. Treat every mount option as a security control. The two minutes spent reviewing exports save the engagement that pivots through your file server.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.