R-Services
Table of Contents
- Most Abused R-commands
- /etc/hosts.equiv
list of trusted usernames - .rhosts
list of trusted IP and user
- /etc/hosts.equiv
- Login via rlogin
- Listing Authenticated Users Using Rwho
- Listing Authenticated Users Using Rusers
R-services span across ports 512, 513, and 514
nmap -> sudo nmap -sV -p 512,513,514 10.0.17.2
Most Abused R-commands
| Command | Service Daemon | Port | Transport Protocol | Description |
|---|---|---|---|---|
rcp | rshd | 514 | TCP | Copy a file or directory bidirectionally from the local system to the remote system (or vice versa) or from one remote system to another. It works like the cp command on Linux but provides no warning to the user for overwriting existing files on a system. |
rsh | rshd | 514 | TCP | Opens a shell on a remote machine without a login procedure. Relies upon the trusted entries in the /etc/hosts.equiv and .rhosts files for validation. |
rexec | rexecd | 512 | TCP | Enables a user to run shell commands on a remote machine. Requires authentication through the use of a username and password through an unencrypted network socket. Authentication is overridden by the trusted entries in the /etc/hosts.equiv and .rhosts files. |
rlogin | rlogind | 513 | TCP | Enables a user to log in to a remote host over the network. It works similarly to telnet but can only connect to Unix-like hosts. Authentication is overridden by the trusted entries in the /etc/hosts.equiv and .rhosts files. |
/etc/hosts.equiv
list of trusted usernames
> cat /etc/hosts.equiv
# <hostname> <local username>
pwnbox cry0l1t3
.rhosts
list of trusted IP and user
Note: The hosts.equiv file is recognized as the global configuration regarding all users on a system, whereas .rhosts provides a per-user configuration.
> cat .rhosts
htb-student 10.0.17.5
+ 10.0.17.10
+ +
+ wildcard allows any external user to access r-commands from the htb-student user account via the host with the IP address 10.0.17.10
Login via rlogin
> rlogin 10.0.17.2 -l htb-student
Last login: Fri Dec 2 16:11:21 from localhost
[htb-student@localhost ~]$
Listing Authenticated Users Using Rwho
> rwho
root web01:pts/0 Dec 2 21:34
htb-student workstn01:tty1 Dec 2 19:57 2:25
htb-studentuser is currently authenticated to theworkstn01hostrootuser is authenticated to theweb01host- Used to scope usernames
rwhodaemon periodically broadcasts information about logged-on users, so it might be beneficial to watch the network traffic.
Listing Authenticated Users Using Rusers
> rusers -al 10.0.17.5
htb-student 10.0.17.5:console Dec 2 19:57 2:25