Rusersd Service - Port 1026
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
The rusersd
daemon, part of the legacy r-services suite, exposes information about logged-in users across networked UNIX systems. While originally designed for convenience in multi-user environments, rusersd
can be leveraged by attackers to enumerate active users, session times, and even network structures. This information provides valuable intelligence during pre-exploitation and lateral movement phases of an attack.
Understanding rusersd and Its Underlying Protocol
The rusers
service relies on RPC (Remote Procedure Call) via portmapper (rpcbind) and operates over UDP/TCP port 873 (commonly UDP). It retrieves user session data from remote machines running the rusersd
daemon.
Key service attributes:
Communicates via SunRPC protocol.
Requires
rpcbind
to resolve service ports.Does not require authentication by default.
Can be queried using standard tools like
rpcinfo
,rusers
, orshowmount
.
Enumerating rusersd for Valuable Information
Discovering RPC Services
Use rpcinfo
to list available RPC services and determine if rusersd
is running:
rpcinfo -p <target_ip>
Look for a line similar to:
100002 3 udp 873 rusersd
100002 3 tcp 873 rusersd
Querying Active User Sessions
Once rusersd
is confirmed active, query the service directly:
rusers -a <target_ip>
This reveals:
Logged-in usernames
Terminal IDs
Idle time
Hostnames or IPs (useful for lateral movement)
Manual Queries via rpcclient
(Optional)
rpcclient
(Optional)For deeper probing and scripting:
rpcclient <target_ip> -U "" -N
Note: rpcclient
is primarily SMB-related but RPC exploration can be extended using custom SunRPC tools.
Leveraging rusersd for Privilege Escalation and Lateral Movement
Identifying Valuable User Targets
Active usernames such as root
, admin
, or system operators provide immediate targets for:
Brute-force or password spray attacks
SSH key harvesting
Privilege escalation via sudo/su or misconfigured cronjobs
Mapping Internal Network Topology
Output from rusers
includes hostnames or IP addresses of logged-in sessions. These often reveal:
Internal IP ranges (e.g.,
192.168.1.x
)Trust relationships between hosts
NFS or rsh dependency paths
Timing Attacks Based on Idle Time
The idle time metric can help attackers identify:
When administrators are likely offline
When services or scripts may activate (e.g., after idle logout)
Opportunities to inject payloads unnoticed
Learn & practice For the Bug Bounty
Last updated
Was this helpful?