Pentesting Rusersd Service

Overview

The rusersd protocol (Remote Users Daemon) is a legacy Unix service that can leak usernames from a target host. This is a valuable reconnaissance technique during penetration testing and security assessments.

When to Use This Skill

• You need to enumerate usernames on a target system
• Port scanning reveals ports 512, 513, or 514 (rsh, rexec, rusers)
• RPC port mapper shows rusersd service
• You're performing network reconnaissance on Unix/Linux systems
• You need to gather user account information for further exploitation

What is Rusersd?

Rusersd is a legacy Unix daemon that provides information about logged-in users on a system. It's part of the r-commands suite (rsh, rlogin, rexec) and is notoriously insecure:

• No authentication required to query
• No encryption - data sent in plaintext
• Often misconfigured or left running on legacy systems
• Port 513/UDP is the standard port

Enumeration Commands

Basic User Enumeration

# Install rusers tool (if not available)
apt-get install rusers

# Query a specific target
rusers -l <target-ip>

# Example output:
# tiff       potatohead:console         Sep  2 13:03   22:03
# katykat    potatohead:ttyp5           Sep  1 09:35      14

Understanding the Output

The output format is:

<username>    <hostname>:<terminal>    <date> <time>    <idle-time>

• Username: The logged-in user account
• Hostname:Terminal: Which system and terminal (console, ttyp0, pts/0, etc.)
• Date/Time: When the session started
• Idle Time: How long since last activity

Detection Methods

Via Port Scanner

# Nmap scan for rusersd
nmap -sU -p 513 <target>

# Full RPC scan
nmap -sU --script rpcinfo <target>

Via RPC Port Mapper

# Check RPC services
rpcinfo -p <target>

# Look for rusersd in the output
# program vers   proto port  service
# 100006  2,3    udp   513   rusers

Practical Workflow

1. Identify the service - Scan for UDP port 513 or check RPC port mapper
2. Run enumeration - Use

   rusers -l <target>

   to get usernames
3. Document findings - Record all discovered usernames
4. Use for further testing - Try these usernames in other attacks (SSH brute force, password spraying, etc.)

Security Implications

Why This Matters

• Username discovery is often the first step in an attack
• Legacy systems may still have this running
• No authentication means anyone can query
• Information disclosure can lead to targeted attacks

Remediation (for defenders)

• Disable rusersd service
• Block UDP port 513 at firewall
• Remove rusers package if not needed
• Use modern alternatives (SSH, LDAP, etc.)

Example Scenarios

Scenario 1: Initial Reconnaissance

Input: "I found UDP port 513 open on 192.168.1.100"

Action:

rusers -l 192.168.1.100

Expected Output: List of usernames logged into the system

Scenario 2: RPC Service Discovery

Input: "rpcinfo shows rusersd on the target"

Action:

# Confirm with direct query
rusers -l <target>

# Document all usernames for password testing

Limitations

• Legacy protocol - Modern systems rarely run this
• UDP-based - May be blocked by firewalls
• Requires rusers client - May need to install the tool
• Network access - Must be able to reach the target on UDP 513

Related Techniques

• RPC enumeration - Check for other legacy RPC services
• NFS enumeration - Often runs alongside rusersd
• Banner grabbing - Get service version information
• Username harvesting - Combine with other enumeration methods

Quick Reference

rusers -l <ip>

nmap -sU -p 513 <ip>

rpcinfo -p <ip>

apt-get install rusers

Notes

• This is a passive information gathering technique
• No authentication or credentials required
• Results may be cached or stale
• Always document findings for reporting
• Use responsibly in authorized security assessments only