Rsync is a utility for efficiently and between a computer and an external hard drive and across network. By default it run on port TCP 873
Practice
Enumeration
To initiate a connection with an rsync server, use the command followed by the rsync URL.
You can use Netcat to find out what service is running and its version by looking at the welcome message it shows when you connect. This method is called Banner Grabbing.
You can use Nmap to check if there's an Rsync server on a target host like this:
We can then enumerate modules. Thus is a crucial enumeration phase to understand the structure of the target rsync module and finding misconfigurations or sensitive information.
Rsync modules represent directory shares and may be protected with a password. To list these modules:
For detailed enumeration of a specific module to see files and permissions:
Exploiting
Be aware that some shares might be restricted to specific credentials, indicated by an "Access Denied" message. We can try to bruteforce the password using following command.
Modules without proper authentication can be accessed by unauthorized users. This vulnerability allows attackers to read, modify, or delete sensitive data.
If a module is writable, and you have determined its path through enumeration, you can upload malicious files, potentially leading to remote command execution or pivoting into the network.
Post-Exploitation
Upload artifacts like modified scripts or binaries to maintain access:
Sensitive data identified during enumeration can be exfiltrated using rsync:
From Remote to Local
We can sync a remote folder with a local folder.
From Local to Remote*
We can sync our local folder with a remote folder.
To locate the rsyncd configuration file and potentially find a secrets file containing usernames and passwords for rsyncd authentication, use the following command:
