R-Services Enumeration Cheatsheet
Default Ports:
- rexec: 512 (TCP)
- rlogin: 513 (TCP)
- rsh / rcp: 514 (TCP)
- rpcbind / portmapper: 111 (TCP/UDP)
Note: R-services transmit data in cleartext and rely on IP-based trust. They are largely obsolete but still found in legacy Unix/Linux environments.
Detection
nmap -p 512-514 <ip>
nmap -p 512-514 -sV <ip>
nmap -p 111 <ip>
rlogin
# Login as current user
rlogin <ip>
# Login as specific user
rlogin -l <user> <ip>
rsh (Remote Shell)
# Execute command remotely
rsh <ip> <command>
rsh -l <user> <ip> whoami
rsh -l <user> <ip> cat /etc/passwd
rsh -l <user> <ip> /bin/bash
rexec (Remote Exec)
rexec <ip> -l <user> <command>
rexec <ip> -l <user> id
rpcbind / Portmapper (Port 111)
# List all registered RPC services
rpcinfo -p <ip>
# List NFS mounts (if NFS is running)
showmount -e <ip>
# Nmap
nmap -p 111 --script rpcinfo <ip>
nmap -p 111 --script nfs-ls <ip>
nmap -p 111 --script nfs-showmount <ip>
nmap -p 111 --script nfs-statfs <ip>
rwho / ruptime
# List logged-in users across trusted hosts
rwho
# Show uptime across trusted hosts
ruptime
Trust Files (Critical Targets)
These files define which hosts/users can connect without a password:
# System-wide trust (any user from listed hosts)
cat /etc/hosts.equiv
# Per-user trust (~/.rhosts)
cat ~/.rhosts
cat /root/.rhosts
# Format of trust files:
# <hostname> — trust all users from this host
# <hostname> <user> — trust specific user from this host
# + + — trust EVERYONE (critical misconfiguration)
Nmap Scripts
nmap -p 512-514 --script rsh-brute <ip>
nmap -p 111 --script rpcinfo <ip>
nmap -p 111 --script nfs-ls,nfs-showmount,nfs-statfs <ip>
Exploitation Flow
1. Scan for open ports 512-514
2. Check /etc/hosts.equiv and ~/.rhosts on any accessible system
3. If trusted host found, rlogin from that IP without password
4. Look for + + wildcard trust entries (full bypass)
5. If rsh available, execute commands directly