SERVICE 1026/udp

Rusersd

aka rusers

An RPC service (registered via portmapper) that reports who is logged into a Unix host. A quick, unauthenticated way to harvest active usernames for password attacks.

service rpc username-harvesting

Ports

Port	Proto	Notes
`1026`	udp	rusersd (dynamic, via portmapper 111)

Fingerprint

rpcinfo -p lists the rusersd program (100002)
rusers returns logged-in users

Exploitation primitives

List currently logged-in users with no auth (feeds spraying)
Find the rusersd port via portmapper (111) first

Overview

Rusersd is a legacy RPC service that answers “who’s logged in?” — a free user list, found via portmapper.

Enumeration

Confirm it’s registered:

rpcinfo -p <TARGET> | grep rusersd

List logged-in users (verbose):

rusers -l <TARGET>

Hardening

Disable rusersd and other legacy RPC info services; firewall portmapper.

References

HackTricks Rusersd