rsync
aka rsyncd
Sync daemon on 873. Modules are frequently anonymous and writable, letting you read sensitive files or drop an SSH key / cron job.
Ports
| Port | Proto | Notes |
|---|---|---|
873 | tcp | rsync daemon |
Fingerprint
- rsync --list-only rsync://<host>/ lists modules
- @RSYNCD banner on connect
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/rsyncd.conf | module paths, auth and read-only flags | sensitive |
Default / weak creds
often none (anonymous modules)
Exploitation primitives
- List and browse modules anonymously to read files
- Writable module mapping to a home dir: upload ~/.ssh/authorized_keys, or to /etc/cron.d for code exec
Overview
rsync on 873 exposes named modules. When a module allows anonymous access (and especially writes), it is a quick file read or a foothold via key/cron drop.
Enumeration
List modules:
rsync --list-only rsync://<TARGET>/Pull files from a module:
rsync -av rsync://<TARGET>/<module>/ ./loot/Write an SSH key if the module is writable:
rsync -av key.pub rsync://<TARGET>/<module>/.ssh/authorized_keysHardening
Require auth on modules, set read only = yes, and bind to trusted networks.