Rsync is a utility for efficiently transferring and synchronizingfiles between a computer and an external hard drive and across network. By default it run on port TCP 873
Practice
Enumeration
To initiate a connection with an rsync server, use the rsync command followed by the rsync URL.
# The URL format is `[rsync://][user@]host[:port]/module.``rsyncrsync://user@target_host/
You can use Netcat to find out what service is running and its version by looking at the welcome message it shows when you connect. This method is called Banner Grabbing.
You can use Nmap to check if there's an Rsync server on a target host like this:
nmap-p873<IP>
We can then enumerate modules. Thus is a crucial enumeration phase to understand the structure of the target rsync module and finding misconfigurations or sensitive information.
Be aware that some shares might be restricted to specific credentials, indicated by an "Access Denied" message. We can try to bruteforce the password using following command.
Modules without proper authentication can be accessed by unauthorized users. This vulnerability allows attackers to read, modify, or delete sensitive data.
If a module is writable, and you have determined its path through enumeration, you can upload malicious files, potentially leading to remote command execution or pivoting into the network.
Post-Exploitation
Upload artifacts like modified scripts or binaries to maintain access:
To locate the rsyncd configuration file and potentially find a secrets file containing usernames and passwords for rsyncd authentication, use the following command: