This blog post is a quick resume on the subject and you can find all the details in the blog post written by Rob Fuller.

The idea behind this technique is that you have managed to create a Meterpreter session in a network and you have spotted (though a network scan or in configuration files) a server exporting data with NFS. Of course, you do not want to mess with the box and lose the shell so the solution is to tunnel all this NFS traffic though Meterpreter all the way to your own box.

Rob Fuller proposes the following setup:

  • Route all the connections to the target network through the active Meterpreter session.
  • Run Metasploit’s Socks proxy in the background so we can run external programs against our target. In combination with the previous point, the traffic generated by our external program will be routed to the remote network through our Meterpreter session.
  • Use an NFS client to mount the remote volumes in your box. The problem here is that this client must support TCP connections because the programs used to “socksify” (like proxychains) only supports TCP packets.

The proposed NFS client is NfSpy  for a simple reason, it was written to abuse the trust relationships in NFS before version 4 (NFSv4 uses Kerberos for authentication), that is almost all the systems you may find in a pentest. Abusing these relationships you can bypass security restrictions like squash_root (a legit NFS library would treat root like the nobody user). You can find detailed information in the README file.