Rusersd Service - Port 1026
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
The rusersd daemon, part of the legacy r-services suite, exposes information about logged-in users across networked UNIX systems. While originally designed for convenience in multi-user environments, rusersd can be leveraged by attackers to enumerate active users, session times, and even network structures. This information provides valuable intelligence during pre-exploitation and lateral movement phases of an attack.
Understanding rusersd and Its Underlying Protocol
The rusers service relies on RPC (Remote Procedure Call) via portmapper (rpcbind) and operates over UDP/TCP port 873 (commonly UDP). It retrieves user session data from remote machines running the rusersd daemon.
Key service attributes:
Communicates via SunRPC protocol.
Requires
rpcbindto resolve service ports.Does not require authentication by default.
Can be queried using standard tools like
rpcinfo,rusers, orshowmount.
Enumerating rusersd for Valuable Information
Discovering RPC Services
Use rpcinfo to list available RPC services and determine if rusersd is running:
rpcinfo -p <target_ip>Look for a line similar to:
100002 3 udp 873 rusersd
100002 3 tcp 873 rusersdQuerying Active User Sessions
Once rusersd is confirmed active, query the service directly:
rusers -a <target_ip>This reveals:
Logged-in usernames
Terminal IDs
Idle time
Hostnames or IPs (useful for lateral movement)
Manual Queries via rpcclient (Optional)
rpcclient (Optional)For deeper probing and scripting:
rpcclient <target_ip> -U "" -NNote: rpcclient is primarily SMB-related but RPC exploration can be extended using custom SunRPC tools.
Leveraging rusersd for Privilege Escalation and Lateral Movement
Identifying Valuable User Targets
Active usernames such as root, admin, or system operators provide immediate targets for:
Brute-force or password spray attacks
SSH key harvesting
Privilege escalation via sudo/su or misconfigured cronjobs
Mapping Internal Network Topology
Output from rusers includes hostnames or IP addresses of logged-in sessions. These often reveal:
Internal IP ranges (e.g.,
192.168.1.x)Trust relationships between hosts
NFS or rsh dependency paths
Timing Attacks Based on Idle Time
The idle time metric can help attackers identify:
When administrators are likely offline
When services or scripts may activate (e.g., after idle logout)
Opportunities to inject payloads unnoticed
Learn & practice For the Bug Bounty
Last updated
Was this helpful?