# 512 / 513 - REXEC / RLOGIN

The rexec and rlogin services are design to allow users of a network to execute commands remotely.\
However, those services do not provide any good means of authentication, so they may be abused to leverage an unauthenticated RCE.

### Network scan

Nmap can be used to scan the network for open rexec and rlogin services:

```
nmap -v -p 512,513 -A <RANGE | CIDR>
```

### Auth bruteforce

The nmap NSE scripts rexec-brute.nse and rlogin-brute.nse can be used to brute force the services, as well as the metasploit modules auxiliary/scanner/rservices/rexec\_login and auxiliary/scanner/rservices/rlogin\_login. If all tested credentials are returned as valid ("Valid credentials"), the services are vulnerable to unauthenticated access.

```
nmap -v -p 512 --script rexec-brute.nse <TARGET>
nmap -v -p 513 --script rlogin-brute.nse <TARGET>

msf > use auxiliary/scanner/rservices/rexec_login
msf > use auxiliary/scanner/rservices/rlogin_login
```

### CLI access

The rlogin CLI tool can be used to access a system:

```
rlogin [-8ELKd] [-e char] [-i user] [-l user] [-p port] host

rlogin -i root <HOST | IP>
```