The rexec and rlogin services are design to allow users of a network to execute commands remotely. However, those services do not provide any good means of authentication, so they may be abused to leverage an unauthenticated RCE.
Nmap can be used to scan the network for open rexec and rlogin services:
nmap -v -p 512,513 -A <RANGE | CIDR>The nmap NSE scripts rexec-brute.nse and rlogin-brute.nse can be used to brute force the services, as well as the metasploit modules auxiliary/scanner/rservices/rexec_login and auxiliary/scanner/rservices/rlogin_login. If all tested credentials are returned as valid ("Valid credentials"), the services are vulnerable to unauthenticated access.
nmap -v -p 512 --script rexec-brute.nse <TARGET>
nmap -v -p 513 --script rlogin-brute.nse <TARGET>
msf > use auxiliary/scanner/rservices/rexec_login
msf > use auxiliary/scanner/rservices/rlogin_loginThe rlogin CLI tool can be used to access a system:
rlogin [-8ELKd] [-e char] [-i user] [-l user] [-p port] host
rlogin -i root <HOST | IP>Last updated