R-Services
aka rlogin, rsh, rexec, rhosts
Legacy BSD remote services (rlogin/rsh/rexec) on 512-514. They trust source hosts via .rhosts and hosts.equiv, so a trust entry is a passwordless shell.
Ports
| Port | Proto | Notes |
|---|---|---|
512 | tcp | rexec |
513 | tcp | rlogin |
514 | tcp | rsh |
Fingerprint
- nmap shows exec/login/shell on 512-514
- Presence of rlogind/rshd
Key files
| Path | Holds | Sensitive |
|---|---|---|
~/.rhosts | trusted user@host entries (a + + means trust anyone) | sensitive |
/etc/hosts.equiv | host-level trust relationships | sensitive |
Default / weak creds
none needed when a trust relationship exists
Exploitation primitives
- rlogin as a user whose .rhosts trusts your host (no password)
- rsh to run a single command on the trust
- A `+ +` in .rhosts or hosts.equiv trusts every host and user
Overview
The r-services are ancient cleartext remote-access daemons that authenticate by trusting the source host and username rather than a password. A permissive .rhosts is an instant login.
Enumeration
Scan for them:
nmap -p512,513,514 -sV <TARGET>Exploitation
Log in via rlogin trust:
rlogin <TARGET> -l rootRun a single command over rsh:
rsh <TARGET> "id"Hardening
Remove r-services entirely; use SSH. If they must exist, never use + in .rhosts or hosts.equiv.
Seen on these machines 1
