SHOWMOUNT

This utility is used on Unix and Linux systems to query NFS (Network File System) servers and obtain information about their exported file systems. With the -e (or --exports) option, it lists the directories the server is sharing and the clients or networks allowed to mount them. showmount communicates with the server’s rpcbind/Portmapper service (usually on port 111) to retrieve this information, even without mounting the export locally. It is commonly used for administrative tasks, such as verifying which directories are shared or diagnosing NFS access issues. Only hosts that are part of the subnet or explicitly allowed in the server’s export configuration can successfully view the shared directories; hosts outside the allowed range typically cannot see the exports. However, if NFS exports are misconfigured (e.g., wide open to a subnet), showmount can also be used by attackers for reconnaissance, revealing which directories are publicly available on the network.

root@oco:~$ showmount -e 10.129.4.99
 Export list for 10.129.4.99:
 /var/nfs      10.0.0.0/8
 /mnt/nfsshare 10.0.0.0/8

 * this command will only work if the attacker is part of the subnet
    - being part of the allowed subnet gives you the “view” of what’s exported, even if 
      you don’t mount the share. NFS doesn’t normally restrict visibility beyond the 
      export rules — so showmount essentially reflects whatever the server is
      configured to reveal to your host.
 
 * The -e (or --exports) option specifically requests the exports list, showing which 
   directories the server is sharing and which clients or networks are allowed to 
   mount them.
 * 10.129.14.128 is the IP of the NFS server you are querying.