Thursday, December 15, 2016

Pentesting Rsync

Pentesting rsync.. is what I googled when I first saw it reported as an open service from Nessus. I hadn't seen it much and most available documentation about it was just a short usage manual. Rsync (Remote Sync) is an open source utility that provides fast incremental file transfer. Rsync copies files either to or from a remote host, or locally on the current host. It is commonly found on *nix systems and functions as both a file synchronization and file transfer program.

According to samba.org: There are two different ways for rsync to contact a remote system: using a remote-shell program as the transport (such as ssh or rsh) or contacting an rsync daemon directly via TCP. The remote-shell transport is used whenever the source or destination path contains a single colon (:) separator after a host specification. Contacting an rsync daemon directly happens when the source or destination path contains a double colon (::) separator after a host specification, OR when an rsync:// URL is specified.

So how do we detect rsync and take advantage of it during a pentest? During a recent test one of the Nessus results was plugin 11389 which is rsync service detection. Furthermore each of the hosts in the “Hosts” section had a list of rsync modules with their name, description, and access rights.

The default port you will typically find an rsync daemon running on is 873 and also potentially 8873. If you aren’t using nessus a simple nmap scan of those ports will let you know if either port is open. Once you have determined an rsync service is running you can use the metasploit module auxiliary/scanner/rsync/modules_list which lists the names of the modules the same way the Nessus plugin did.

Alternatively you can also use the nmap script rsync-list-modules to get a list of rsync modules.

nmap --script=rsync-list-modules <ip> -p 873

Once you have the list of modules you have a few different options depending on the actions you want to take and whether or not authentication is required. If authentication is not required you can copy all files to your local machine via the following command:

rsync -av 0.0.0.0:module_name_1 /data/tmp

This recursively transfers all files from the directory “module_name_1” on the machine 0.0.0.0 into the /data/tmp directory on the local machine. The files are transferred in "archive" mode, which ensures that symbolic links, devices, attributes, permissions, ownerships, etc. are preserved in the transfer. Happy dumpster diving!

But… what if authentication is required? Some modules on the remote daemon may require authentication. If so, you will receive a password prompt when you connect. As a pentester you still have options! There is a NSE script called rsync-brute which performs brute force password auditing against the rsync remote file syncing protocol.

Resources:
https://www.samba.org/ftp/rsync/rsync.html
https://www.rapid7.com/db/modules/auxiliary/scanner/rsync/modules_list
https://nmap.org/nsedoc/scripts/rsync-brute.html
https://www.tenable.com/plugins/index.php?view=single&id=11389