Pentesting Rsync

Rsync port 873

• Basic information

• https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync

• https://phoenixnap.com/kb/how-to-rsync-over-ssh

• rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification timesand sizes of files.

nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy        	
NAS_Public     	
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection


#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password

• Enumerate shared folders

• An rsync module is essentially a directory share. These modules can optionally be protected by a password.

• This options lists the available modules and, optionally, determines if the module requires a password to access:

• Manual Rsync

• List a shared folder

• Copy all files to your local machine via the following command:

• If you have credentials you can list/download a shared name using (the password will be prompted):

• You could also upload some content using rsync (for example, in this case we can upload an authorized_keys file to obtain access to the box):

• Find the rsyncd configuration file:

• Inside the config file sometimes you could find the parameter secrets file = /path/to/file and this file could contains usernames and passwords allowed to authenticate to rsyncd.