07 Apr, 2023

Remote Synchronization (RSYNC)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

Rsync is a utility for transferring and synchronizing files between a computes. Has IP filter, by default all hosts are allowed. The auth users directive relies on a “secrets” file, for example, /etc/rsyncd/rsyncd.secrets. This file contains the username and password combinations for rsync accounts in plain text. By default there is no auth. rsyncd uses no encryption.

RSYNC common ports

Rsync protocol uses TCP as the underlying transport protocol, and the default port for rsync is TCP port 873. However, rsync can also be configured to use a different port using the “–port” option.

TCP port 22: rsync can be run over SSH, in which case it uses TCP port 22 for communication.

TCP port 6010: rsync can use TCP port 6010 for its remote shell mode.

TCP port 8730: rsync can be configured to use TCP port 8730 instead of the default port 873.

Standard  commands from unauthorised users

Rsync <source_file> <destination_file>: This command can be used by an unauthorized user to copy files from one location to another.

Rsync -avz <source_directory> <destination_directory>: This command can be used to transfer a directory recursively from one location to another.

Rsync -a –delete <source_directory> <destination_directory>: This command can be used to delete files from the destination directory that are not present in the source directory.

Rsync -n <source_file> <destination_file>: This command can be used to perform a dry run of the rsync command to see what changes would be made without actually making them.

Rsync -e <ssh_command> <source_file> <destination_file>: This command can be used to transfer files securely using SSH.

Connection with enumeration

auxiliary/scanner/rsync/modules_list

nmap -p 873 –script rsync-list-modules <ip>

Recon or Non Standard command

rsync -6 –list-only rsync://192.168.1.29:873/

Bruteforce

https://github.com/ZyperX/rsync_bruteforcer

https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/RSYNC/MODULES_LIST

nmap -p 873 –script rsync-brute –script-args ‘rsync-brute.module=www’ <ip>

Tools for using protocol RSYNC

Manual Tools:

  • rsync – is an open-source tool used for file synchronization and backup between systems. It is available on all major operating systems and can be used to copy files both locally and remotely over a network.

  • nc –  is a command-line tool used for creating network connections. It can be used to test the Rsync service by connecting to the Rsync port (873) and sending commands.

  • telnet – is another command-line tool used for creating network connections. It can be used to test the Rsync service by connecting to the Rsync port (873) and sending commands.

  • curl – is a command-line tool used for transferring data from or to a server. It can be used to test the Rsync service by sending HTTP requests to the Rsync port (873).

  • wget – is a command-line tool used for downloading files from the web. It can be used to test the Rsync service by downloading files from an Rsync server.

  • nmap – is a network exploration and security auditing tool. It can be used to scan for open Rsync ports on a network and perform various tests on the Rsync service.

  • Wireshark – is a network protocol analyzer that allows you to capture and view the network traffic. It can be used to analyze the Rsync protocol and identify any vulnerabilities or issues.

Automated Tools:

  • rsync-scanner – is an automated tool used for scanning networks for open Rsync ports and enumerating available files and directories.

  • rsync-exploit – is an automated tool used for exploiting vulnerable Rsync servers by uploading and executing arbitrary code on the target system.

  • rsniffer – is an automated tool used for sniffing Rsync traffic and extracting information such as usernames, passwords, and file names.

  • rsync-brute – is an automated tool used for brute-forcing Rsync credentials by trying multiple username and password combinations.

  • rsync-bp – is an automated tool used for backing up Rsync servers and identifying potential vulnerabilities in the backup process.

  • rsyncker – is an automated tool used for synchronizing files between two Rsync servers and identifying any inconsistencies or issues.

  • rsync-check – is an automated tool used for checking the integrity of Rsync backups by comparing the original and backup files.

  • rsync-sandbox – is an automated tool used for creating a sandboxed environment for testing Rsync servers and identifying potential vulnerabilities.

  • rsync-reporter – is an automated tool used for generating reports on the Rsync server, including information on available files, directories, and permissions.

  • rsync-crawler – is an automated tool used for crawling Rsync servers and collecting information such as file names, sizes, and permissions.

  • rsync-audit – is an automated tool used for auditing Rsync servers and identifying potential security issues such as open ports, outdated software, and weak credentials.

  • rsync-backup – is an automated tool used for backing up files to an Rsync server and verifying the integrity of the backup process.

Last five known CVE for RSYNC

CVE-2022-29154: An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). 

CVE-2022-26479: An issue was discovered in Poly EagleEye Director II before 2.2.2.1. Existence of a certain file (which can be created via an rsync backdoor) causes all API calls to execute as admin without authentication. 

CVE-2021-3907: OctoRPKI does not escape a URI with a filename containing “..”, this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on. 

CVE-2020-14387: A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4. 

CVE-2020-10120: cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545). 

Useful information

– Was developed by Andrew Tridgell and Paul Mackerras in 1996 as a replacement for the traditional Unix command “rsh” for remote execution.

– Uses a delta-transfer algorithm that transfers only the differences between the source and destination files instead of transferring the entire file. This makes it very efficient for transferring large files or directories with many files.

– Supports both SSH and RSH for secure communication between the source and destination systems. It also supports authentication using passwords or public keys.

– Can synchronize files both locally and remotely. It can also synchronize files between different operating systems such as Linux, macOS, and Windows.

– Command-line tool, but there are also graphical user interfaces available such as Grsync and Luckybackup.

– Can be used for incremental backups, which means it only transfers the changes made to files since the last backup. This makes it a popular choice for backup solutions.

– Can be used to synchronize files between multiple servers or to create a distributed file system.

– Used in combination with other tools such as Cron and SSH for automated backups and synchronization.

– Open-source software and is widely used by system administrators, web developers, and data scientists.

Known banners

“rsync version X.X.X protocol version YY” – This is the standard banner displayed when connecting to an rsync server. The X.X.X represents the version of rsync running on the server, while YY is the protocol version being used.

“rsync daemon X.X.X protocol version YY” – This banner is displayed when connecting to an rsync daemon, which is a special mode of rsync that runs as a standalone service.

“@RSYNCD: X.X.X” – This banner is displayed when connecting to an rsync daemon using the RSYNC protocol. It includes the version number of the daemon.

“SSH-2.0-rsync” – This banner is displayed when connecting to an rsync server over SSH. It indicates that the rsync protocol is being used over an SSH connection.

“Welcome to rsync” – This banner is displayed when connecting to an rsync server that has been customized to display a welcome message.

Books for studies RSYNC

“Rsync: Backup and Restore for Linux and UNIX Systems” by Tony Houghton – This book provides detailed information on how to use rsync for backup and restore operations on Linux and UNIX systems. It covers both basic and advanced usage, including scripting and automation.

“The Rsync Book” by Andrew Tridgell and Paul Mackerras – This book is a comprehensive guide to using rsync for backup and file synchronization. It covers a range of topics, including how rsync works, how to use it, and how to troubleshoot common issues.

“Linux Transfer for Power Users: Rsync Usage and Examples” by Marcus Sanatan – This book focuses on using rsync for transferring files and directories between Linux systems. It includes practical examples and tips for optimizing rsync performance.

“The Art of Unix Programming” by Eric S. Raymond – This book covers the principles of Unix programming, including the use of rsync for file synchronization. It includes a chapter on rsync that provides an overview of the tool and its features.

“Rsync Pocket Reference” by Donovan C. Tengblad – This is a concise reference guide to rsync that provides a quick introduction to the tool and its basic usage. It includes tips and examples for using rsync effectively.

“The Linux Command Line: A Complete Introduction” by William E. Shotts Jr. – This book is a comprehensive guide to using the Linux command line, including an introduction to rsync and its basic usage. It also covers other file transfer tools and techniques.

“Linux Bible” by Christopher Negus – This book is a comprehensive guide to Linux, including an overview of rsync and how to use it for file synchronization and backup operations. It covers a range of other topics, including system administration and security.

“The Official Ubuntu Book” by Benjamin Hill, Matthew Helmke, Corey Burger – This book is an introduction to Ubuntu Linux, including an overview of rsync and how to use it for file synchronization and backup operations. It also covers other file transfer tools and techniques.

“Pro Linux System Administration” by Dennis Matotek, James Turnbull, and Peter Lieverdink – This book is a guide to Linux system administration, including an overview of rsync and how to use it for backup and file synchronization. It also covers other topics such as network administration and security.

“Linux Administration Handbook” by Evi Nemeth, Garth Snyder, Trent R. Hein, and Ben Whaley – This book is a comprehensive guide to Linux administration, including an overview of rsync and how to use it for backup and file synchronization. It covers a range of other topics, including system monitoring, network administration, and security.

List of Payload for RSYNC

  • -a: Archive mode. This option preserves all file attributes, permissions, and timestamps.

  • -v: Verbose mode. This option provides more detailed output about the transfer process.

  • -r: Recursive mode. This option copies all directories and subdirectories.

  • -u: Update mode. This option skips files that are newer on the destination.

  • -z: Compression mode. This option compresses data during transfer to reduce the amount of network bandwidth used.

  • –delete: Delete mode. This option deletes files on the destination that are not present on the source.

  • –exclude: Exclude mode. This option excludes files or directories from the transfer process based on a given pattern or expression.

  • –dry-run: Dry-run mode. This option simulates the transfer process without actually transferring any files, allowing you to see what changes would be made.

  • –bwlimit: Bandwidth limit mode. This option limits the network bandwidth used during transfer to a specified amount.

  • –progress: Progress mode. This option displays a progress bar indicating the status of the transfer process.

Mitigation

  1.  Use strong authentication methods, such as public key authentication, to secure rsync connections and prevent unauthorized access.

  2. Limit access: Restrict access to rsync services to only authorized users and hosts. Use firewalls and access control lists (ACLs) to limit access.

  3. Encrypt data in transit: Use encryption protocols such as SSH or SSL to encrypt data in transit to prevent eavesdropping and tampering.

  4. Keep software up-to-date: Keep rsync and other software up-to-date with the latest security patches and updates to prevent exploitation of known vulnerabilities.

  5. Monitor rsync activity: Monitor rsync activity for suspicious behavior and investigate any unusual activity.

  6. Secure the file system: Implement proper file system permissions to prevent unauthorized access to sensitive files and data.

  7. Use secure channels: Use secure channels, such as VPNs or SSH tunnels, to connect to rsync services over untrusted networks.

  8. Disable unneeded rsync services: Disable any unnecessary rsync services to reduce the attack surface and minimize the risk of exploitation.

  9. Implement network segmentation: Implement network segmentation to isolate rsync services from other sensitive systems and data.

  10. Regularly backup data: Regularly backup critical data to minimize the impact of any security incidents that may occur.

Conclusion

Rsync is a powerful tool for file synchronization and transfer, but it also comes with security risks. It’s important to follow best practices for securing rsync, such as using strong authentication, limiting access, encrypting data in transit, keeping software up-to-date, monitoring activity, securing the file system, using secure channels, disabling unneeded services, implementing network segmentation, and regularly backing up data. By taking these steps, you can minimize the risk of security incidents and ensure that your rsync transfers are secure and reliable.

Other Services

Ready to secure?

Let's get in touch