Notes
| Alternative Ports |
|---|
| 873 TCP (rsync daemon) |
Service Description
Rsync is a fast and versatile file-copying tool used for incremental backups and mirroring. When run as a daemon, it listens on TCP/873 and supports anonymous or authenticated access to defined modules (file paths). Commonly used in backup infrastructure and staging environments.
Anonymous Access
Some rsync daemons are configured with public modules accessible without authentication, exposing internal files or configs.
Attacks
Anonymous Module Listing
When allowed, rsync will list available modules and expose accessible paths.
Anonymous Read Access
Modules may allow file downloads without credentials.
Weak or Default Auth
Modules requiring authentication may use weak or reused credentials.
Tools & Exploits
Enumeration
nmap
Rsync version and module discovery.
nmap -p873 --script rsync-list-modules <target>rsync (CLI)
Enumerate and pull data.
# List available modules
rsync rsync://<target>/
# Recursively list or copy a module
rsync -av rsync://<target>/<module>/Metasploit
use auxiliary/scanner/rsync/modules_listExploitation or Post-Enum
Download Full Directory
If a module allows anonymous access:
rsync -av rsync://<target>/<module>/ ./loot/Find Sensitive Configs / Keys
Look for:
.ssh/,.bash_historyconfig,*.yml,*.env,shadow,passwd- System backups or database dumps
Wireshark Analysis Tips
Filters
tcp.port == 873What to look for:
- Module listings
- Filenames, paths, metadata in plain text
- Lack of encryption or authentication