Rsync - Port 873

Basic info

Rsync is a fast and versatile utility for transferring files remotely while minimizing data transfer using delta encoding. It is often used in backup and mirroring operations across Linux-based systems. However, its default configurations can expose sensitive information and unauthorized file access, making it a prime target during network service penetration testing.

Understanding How Rsync Works

Rsync operates over TCP, commonly on port 873, and uses a synchronization protocol to efficiently update files across systems. It supports both anonymous and authenticated access. When misconfigured, Rsync can allow attackers to list directories, read sensitive files, and even upload malicious content.

Basic Rsync Connection Structure:

• Modules: Exported directory paths made available via the Rsync server.

• Access Control: Can be configured per module using rsyncd.conf.

• Authentication: Optional, often misconfigured or completely absent.

Initial Enumeration of Rsync Services

Banner & Manual communication

nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy
NAS_Public
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection


#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password

Port Scanning

Use Nmap to detect Rsync:

nmap -sV -p 873 --script=rsync-list <target>

This reveals whether the Rsync service is active and provides module listings if anonymous access is enabled.

Banner Grabbing

nc <target_ip> 873

Typing any string followed by [ENTER] may return a list of modules or version info if unauthenticated access is permitted.

Exploiting Anonymous Rsync Modules

When Rsync is configured to allow anonymous read access, attackers can extract full directory listings and files.

Discovering Public Modules

rsync rsync://<target_ip>

This command will return all available modules exposed by the server.

Listing Files Inside a Module

rsync rsync://<target_ip>/module_name

Rsync modules are recognized as directory shares that might be protected with passwords. To identify available modules and check if they require passwords, the following commands are used:

nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

# Example with IPv6 and alternate port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730

Be aware that some shares might not appear in the list, possibly hiding them. Additionally, accessing some shares might be restricted to specific credentials, indicated by an "Access Denied" message.

Downloading Files from a Module

rsync -av rsync://<target_ip>/module_name /local/folder/

This enables full recursive download of the exposed directory structure and contents.

Identifying Sensitive Data

During enumeration, focus on:

• Config files (*.conf, settings.py)

• Credential dumps

• SSH keys

• Backup folders (e.g., /etc/, /var/www/, /home/)

Brute Forcing Rsync Credentials (If Authentication Is Enabled)

Rsync uses a challenge-response mechanism based on rsyncd.secrets. Brute-forcing weak credentials may provide access to restricted modules.

Tool: rsync-brute

hydra -l admin -P passwords.txt rsync://<target_ip>/module_name
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

If access is granted, reuse earlier enumeration and download techniques.

Upload-Based Attacks

When write access is enabled (either anonymously or post-authentication), it’s possible to:

• Inject Web Shells: Target modules synced with web roots (e.g., /var/www/html)

• Overwrite Configurations: Drop malicious configs to alter service behavior

• Poison Backup Systems: Place files to be replicated into other sensitive areas