From b98496aaede43f6ece8dfa8a05d8861f5c965f65 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Thu, 13 Feb 2025 18:44:21 +0100 Subject: [PATCH] f --- .../az-services/az-file-shares.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/pentesting-cloud/azure-security/az-services/az-file-shares.md b/src/pentesting-cloud/azure-security/az-services/az-file-shares.md index 9add32983..e03edf926 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-file-shares.md +++ b/src/pentesting-cloud/azure-security/az-services/az-file-shares.md @@ -4,7 +4,7 @@ ## Basic Information -**Azure Files** is a fully managed cloud file storage service that provides shared file storage accessible via standard **SMB (Server Message Block)** and **NFS (Network File System)** protocols. Although the main protocol used is SMB as NFS Azure file shares aren't supported for Windows (according to the [**docs**](https://learn.microsoft.com/en-us/azure/storage/files/files-nfs-protocol)). It allows you to create highly available network file shares that can be accessed simultaneously by multiple virtual machines (VMs) or on-premises systems, enabling seamless file sharing across environments. +**Azure Files** is a fully managed cloud file storage service that provides shared file storage accessible via standard **SMB (Server Message Block)** and **NFS (Network File System)** protocols. The main protocol used is SMB as NFS Azure file shares aren't supported for Windows (according to the [**docs**](https://learn.microsoft.com/en-us/azure/storage/files/files-nfs-protocol)). It allows you to create highly available network file shares that can be accessed simultaneously by multiple virtual machines (VMs) or on-premises systems, enabling seamless file sharing across environments. ### Access Tiers @@ -28,6 +28,17 @@ - **Microsoft Entra Kerberos for Hybrid Identities**: It enables Microsoft Entra users to authenticate Azure file shares over the internet using Kerberos. It supports hybrid Microsoft Entra joined or Microsoft Entra joined VMs without requiring connectivity to on-premises domain controllers. But it does not support cloud-only identities. - **AD Kerberos Authentication for Linux Clients**: It allows Linux clients to use Kerberos for SMB authentication via on-premises AD DS or Microsoft Entra Domain Services. +### Supported "Authentication" via NFS + +- It supports 3 root squash configurations (Find more information about this in the [NFS HackTricks section](https://book.hacktricks.wiki/en/network-services-pentesting/nfs-service-pentesting.html?highlight=nfs#squashing)): + - **Root squash**: The root user is mapped to the anonymous user. + - **No root squash**: The root user is mapped to the root user. + - **All squash**: All users are mapped to the anonymous user. +- You **must disabled "Secure transfer required"** at storage account level as NFS doesn't support encryption. +- You must give some kind of **private access to the NFS server as it doesn't support public access**. For example, you can create a **private endpoint** and expose it in a subnet of a virtual network inside the subscription. + - The private endpoint will be exposed inside an IP address in the subnet **with the port 2059** open to access the NFS service. + - It's possible to use nmap to discover the private endpoint. + ## Enumeration {{#tabs }} @@ -57,6 +68,12 @@ az storage share list --account-name --include-snapshots --query "[?snaps az storage file list --account-name --share-name --snapshot #e.g. "2024-11-25T11:26:59.0000000Z" # Download snapshot/backup az storage file download-batch -d . --account-name --source --snapshot + +# Find private endpoints with NFS access with +sudo nmap -n -T5 -Pn -p 2049 --open /16 +# Find if a share is mounted inside a VM with +mount | grep nfs +mount | grep "username=" ``` {{#endtab }}