Rsync - Port 873
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
Rsync is a fast and versatile utility for transferring files remotely while minimizing data transfer using delta encoding. It is often used in backup and mirroring operations across Linux-based systems. However, its default configurations can expose sensitive information and unauthorized file access, making it a prime target during network service penetration testing.
Rsync operates over TCP, commonly on port 873, and uses a synchronization protocol to efficiently update files across systems. It supports both anonymous and authenticated access. When misconfigured, Rsync can allow attackers to list directories, read sensitive files, and even upload malicious content.
Modules: Exported directory paths made available via the Rsync server.
Access Control: Can be configured per module using rsyncd.conf.
Authentication: Optional, often misconfigured or completely absent.
Use Nmap to detect Rsync:
This reveals whether the Rsync service is active and provides module listings if anonymous access is enabled.
Typing any string followed by [ENTER] may return a list of modules or version info if unauthenticated access is permitted.
When Rsync is configured to allow anonymous read access, attackers can extract full directory listings and files.
This command will return all available modules exposed by the server.
Rsync modules are recognized as directory shares that might be protected with passwords. To identify available modules and check if they require passwords, the following commands are used:
Be aware that some shares might not appear in the list, possibly hiding them. Additionally, accessing some shares might be restricted to specific credentials, indicated by an "Access Denied" message.
This enables full recursive download of the exposed directory structure and contents.
During enumeration, focus on:
Config files (*.conf, settings.py)
Credential dumps
SSH keys
Backup folders (e.g., /etc/, /var/www/, /home/)
Rsync uses a challenge-response mechanism based on rsyncd.secrets. Brute-forcing weak credentials may provide access to restricted modules.
rsync-bruteIf access is granted, reuse earlier enumeration and download techniques.
When write access is enabled (either anonymously or post-authentication), itβs possible to:
Inject Web Shells: Target modules synced with web roots (e.g., /var/www/html)
Overwrite Configurations: Drop malicious configs to alter service behavior
Poison Backup Systems: Place files to be replicated into other sensitive areas
Learn & practice For the Bug Bounty
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π