# Rusersd Service - Port 1026

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic info

The `rusersd` daemon, part of the legacy **r-services** suite, exposes information about logged-in users across networked UNIX systems. While originally designed for convenience in multi-user environments, `rusersd` can be leveraged by attackers to enumerate active users, session times, and even network structures. This information provides valuable intelligence during pre-exploitation and lateral movement phases of an attack.

### Understanding rusersd and Its Underlying Protocol

The `rusers` service relies on **RPC (Remote Procedure Call)** via **portmapper (rpcbind)** and operates over **UDP/TCP port 873 (commonly UDP)**. It retrieves user session data from remote machines running the `rusersd` daemon.

Key service attributes:

* Communicates via SunRPC protocol.
* Requires `rpcbind` to resolve service ports.
* Does **not require authentication** by default.
* Can be queried using standard tools like `rpcinfo`, `rusers`, or `showmount`.

***

## Enumerating rusersd for Valuable Information

#### Discovering RPC Services

Use `rpcinfo` to list available RPC services and determine if `rusersd` is running:

```bash
rpcinfo -p <target_ip>
```

Look for a line similar to:

```
100002    3   udp  873  rusersd
100002    3   tcp  873  rusersd
```

#### Querying Active User Sessions

Once `rusersd` is confirmed active, query the service directly:

```bash
rusers -a <target_ip>
```

This reveals:

* Logged-in usernames
* Terminal IDs
* Idle time
* Hostnames or IPs (useful for lateral movement)

#### Manual Queries via `rpcclient` (Optional)

For deeper probing and scripting:

```bash
rpcclient <target_ip> -U "" -N
```

Note: `rpcclient` is primarily SMB-related but RPC exploration can be extended using custom SunRPC tools.

***

## Leveraging rusersd for Privilege Escalation and Lateral Movement

### I**dentifying Valuable User Targets**

Active usernames such as `root`, `admin`, or system operators provide immediate targets for:

* Brute-force or password spray attacks
* SSH key harvesting
* Privilege escalation via sudo/su or misconfigured cronjobs

### **Mapping Internal Network Topology**

Output from `rusers` includes hostnames or IP addresses of logged-in sessions. These often reveal:

* Internal IP ranges (e.g., `192.168.1.x`)
* Trust relationships between hosts
* NFS or rsh dependency paths

### **Timing Attacks Based on Idle Time**

The idle time metric can help attackers identify:

* When administrators are likely offline
* When services or scripts may activate (e.g., after idle logout)
* Opportunities to inject payloads unnoticed

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/rusersd-service-port-1026.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.