# 512 / 513 - REXEC / RLOGIN The rexec and rlogin services are design to allow users of a network to execute commands remotely.\ However, those services do not provide any good means of authentication, so they may be abused to leverage an unauthenticated RCE. ### Network scan Nmap can be used to scan the network for open rexec and rlogin services: ``` nmap -v -p 512,513 -A ``` ### Auth bruteforce The nmap NSE scripts rexec-brute.nse and rlogin-brute.nse can be used to brute force the services, as well as the metasploit modules auxiliary/scanner/rservices/rexec\_login and auxiliary/scanner/rservices/rlogin\_login. If all tested credentials are returned as valid ("Valid credentials"), the services are vulnerable to unauthenticated access. ``` nmap -v -p 512 --script rexec-brute.nse nmap -v -p 513 --script rlogin-brute.nse msf > use auxiliary/scanner/rservices/rexec_login msf > use auxiliary/scanner/rservices/rlogin_login ``` ### CLI access The rlogin CLI tool can be used to access a system: ``` rlogin [-8ELKd] [-e char] [-i user] [-l user] [-p port] host rlogin -i root ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/l7/methodology-11.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.