Rusersd Service - Port 1026

Basic info

The rusersd daemon, part of the legacy r-services suite, exposes information about logged-in users across networked UNIX systems. While originally designed for convenience in multi-user environments, rusersd can be leveraged by attackers to enumerate active users, session times, and even network structures. This information provides valuable intelligence during pre-exploitation and lateral movement phases of an attack.

Understanding rusersd and Its Underlying Protocol

The rusers service relies on RPC (Remote Procedure Call) via portmapper (rpcbind) and operates over UDP/TCP port 873 (commonly UDP). It retrieves user session data from remote machines running the rusersd daemon.

Key service attributes:

• Communicates via SunRPC protocol.

• Requires rpcbind to resolve service ports.

• Does not require authentication by default.

• Can be queried using standard tools like rpcinfo, rusers, or showmount.

Enumerating rusersd for Valuable Information

Discovering RPC Services

Use rpcinfo to list available RPC services and determine if rusersd is running:

rpcinfo -p <target_ip>

Look for a line similar to:

100002    3   udp  873  rusersd
100002    3   tcp  873  rusersd

Querying Active User Sessions

Once rusersd is confirmed active, query the service directly:

rusers -a <target_ip>

This reveals:

• Logged-in usernames

• Terminal IDs

• Idle time

• Hostnames or IPs (useful for lateral movement)

Manual Queries via rpcclient (Optional)

For deeper probing and scripting:

rpcclient <target_ip> -U "" -N

Note: rpcclient is primarily SMB-related but RPC exploration can be extended using custom SunRPC tools.

Leveraging rusersd for Privilege Escalation and Lateral Movement

Identifying Valuable User Targets

Active usernames such as root, admin, or system operators provide immediate targets for:

• Brute-force or password spray attacks

• SSH key harvesting

• Privilege escalation via sudo/su or misconfigured cronjobs

Mapping Internal Network Topology

Output from rusers includes hostnames or IP addresses of logged-in sessions. These often reveal:

• Internal IP ranges (e.g., 192.168.1.x)

• Trust relationships between hosts

• NFS or rsh dependency paths

Timing Attacks Based on Idle Time

The idle time metric can help attackers identify:

• When administrators are likely offline

• When services or scripts may activate (e.g., after idle logout)

• Opportunities to inject payloads unnoticed