f

src/pentesting-cloud/azure-security/az-services/az-file-shares.md

@@ -4,7 +4,7 @@
 
 ## Basic Information
 
-**Azure Files** is a fully managed cloud file storage service that provides shared file storage accessible via standard **SMB (Server Message Block)** and **NFS (Network File System)** protocols. Although the main protocol used is SMB as NFS Azure file shares aren't supported for Windows (according to the [**docs**](https://learn.microsoft.com/en-us/azure/storage/files/files-nfs-protocol)). It allows you to create highly available network file shares that can be accessed simultaneously by multiple virtual machines (VMs) or on-premises systems, enabling seamless file sharing across environments.
+**Azure Files** is a fully managed cloud file storage service that provides shared file storage accessible via standard **SMB (Server Message Block)** and **NFS (Network File System)** protocols. The main protocol used is SMB as NFS Azure file shares aren't supported for Windows (according to the [**docs**](https://learn.microsoft.com/en-us/azure/storage/files/files-nfs-protocol)). It allows you to create highly available network file shares that can be accessed simultaneously by multiple virtual machines (VMs) or on-premises systems, enabling seamless file sharing across environments.
 
 ### Access Tiers
 
@@ -28,6 +28,17 @@
 - **Microsoft Entra Kerberos for Hybrid Identities**: It enables Microsoft Entra users to authenticate Azure file shares over the internet using Kerberos. It supports hybrid Microsoft Entra joined or Microsoft Entra joined VMs without requiring connectivity to on-premises domain controllers. But it does not support cloud-only identities.
 - **AD Kerberos Authentication for Linux Clients**: It allows Linux clients to use Kerberos for SMB authentication via on-premises AD DS or Microsoft Entra Domain Services.
 
+### Supported "Authentication" via NFS
+
+- It supports 3 root squash configurations (Find more information about this in the [NFS HackTricks section](https://book.hacktricks.wiki/en/network-services-pentesting/nfs-service-pentesting.html?highlight=nfs#squashing)):
+    - **Root squash**: The root user is mapped to the anonymous user.
+    - **No root squash**: The root user is mapped to the root user.
+    - **All squash**: All users are mapped to the anonymous user.
+- You **must disabled "Secure transfer required"** at storage account level as NFS doesn't support encryption.
+- You must give some kind of **private access to the NFS server as it doesn't support public access**. For example, you can create a **private endpoint** and expose it in a subnet of a virtual network inside the subscription.
+    - The private endpoint will be exposed inside an IP address in the subnet **with the port 2059** open to access the NFS service.
+    - It's possible to use nmap to discover the private endpoint.
+
 ## Enumeration
 
 {{#tabs }}
@@ -57,6 +68,12 @@ az storage share list --account-name <name> --include-snapshots --query "[?snaps
 az storage file list --account-name <name> --share-name <share-name> --snapshot <snapshot-version> #e.g. "2024-11-25T11:26:59.0000000Z"
 # Download snapshot/backup
 az storage file download-batch -d . --account-name <name> --source <share-name> --snapshot <snapshot-version>
+
+# Find private endpoints with NFS access with
+sudo nmap -n -T5 -Pn -p 2049 --open <private-ip>/16
+# Find if a share is mounted inside a VM with
+mount | grep nfs
+mount | grep "username="
 ```
 
 {{#endtab }}