# Rsync - Port 873
{% tabs %}
{% tab title="Support VeryLazyTech π" %}
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! π**
* **Follow** us on:
* **β Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **πΎ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **π Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **πΊ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **π© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **π΅οΈββοΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. π
{% endtab %}
{% endtabs %}
## Basic info
Rsync is a fast and versatile utility for transferring files remotely while minimizing data transfer using delta encoding. It is often used in backup and mirroring operations across Linux-based systems. However, its default configurations can expose sensitive information and unauthorized file access, making it a prime target during network service penetration testing.
### Understanding How Rsync Works
Rsync operates over TCP, commonly on port **873**, and uses a synchronization protocol to efficiently update files across systems. It supports both anonymous and authenticated access. When misconfigured, Rsync can allow attackers to list directories, read sensitive files, and even upload malicious content.
#### Basic Rsync Connection Structure:
* **Modules:** Exported directory paths made available via the Rsync server.
* **Access Control:** Can be configured per module using `rsyncd.conf`.
* **Authentication:** Optional, often misconfigured or completely absent.
***
## Initial Enumeration of Rsync Services
### Banner & Manual communication
```bash
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0 <--- You receive this banner with the version from the server
@RSYNCD: 31.0 <--- Then you send the same info
#list <--- Then you ask the sever to list
raidroot <--- The server starts enumerating
USBCopy
NAS_Public
_NAS_Recycle_TOSRAID <--- Enumeration finished
@RSYNCD: EXIT <--- Sever closes the connection
#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password
```
### **Port Scanning**
Use Nmap to detect Rsync:
```bash
nmap -sV -p 873 --script=rsync-list
```
This reveals whether the Rsync service is active and provides module listings if anonymous access is enabled.
### **Banner Grabbing**
```bash
nc 873
```
Typing any string followed by `[ENTER]` may return a list of modules or version info if unauthenticated access is permitted.
***
## Exploiting Anonymous Rsync Modules
When Rsync is configured to allow anonymous read access, attackers can extract full directory listings and files.
### Discovering Public Modules
```bash
rsync rsync://
```
This command will return all available modules exposed by the server.
### Listing Files Inside a Module
```bash
rsync rsync:///module_name
```
**Rsync modules** are recognized as **directory shares** that might be **protected with passwords**. To identify available modules and check if they require passwords, the following commands are used:
```bash
nmap -sV --script "rsync-list-modules" -p
msf> use auxiliary/scanner/rsync/modules_list
# Example with IPv6 and alternate port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
```
Be aware that some shares might not appear in the list, possibly hiding them. Additionally, accessing some shares might be restricted to specific **credentials**, indicated by an **"Access Denied"** message.
### Downloading Files from a Module
```bash
rsync -av rsync:///module_name /local/folder/
```
This enables full recursive download of the exposed directory structure and contents.
#### Identifying Sensitive Data
During enumeration, focus on:
* Config files (`*.conf`, `settings.py`)
* Credential dumps
* SSH keys
* Backup folders (e.g., `/etc/`, `/var/www/`, `/home/`)
***
## Brute Forcing Rsync Credentials (If Authentication Is Enabled)
Rsync uses a challenge-response mechanism based on `rsyncd.secrets`. Brute-forcing weak credentials may provide access to restricted modules.
#### Tool: `rsync-brute`
```bash
hydra -l admin -P passwords.txt rsync:///module_name
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873
```
If access is granted, reuse earlier enumeration and download techniques.
***
## Upload-Based Attacks
When write access is enabled (either anonymously or post-authentication), itβs possible to:
* **Inject Web Shells:** Target modules synced with web roots (e.g., `/var/www/html`)
* **Overwrite Configurations:** Drop malicious configs to alter service behavior
* **Poison Backup Systems:** Place files to be replicated into other sensitive areas
***
{% hint style="success" %}
Learn & practice **For the Bug Bounty**
Support VeryLazyTech π
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! π**
* **Follow** us on:
* **β Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **πΎ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **π Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **πΊ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **π© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **π΅οΈββοΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. π
{% endhint %}