R-Services are a set of tools that allow remote access and command execution between Unix hosts over TCP/IP. Developed by UC Berkeley, they were widely used until replaced by SSH due to security flaws. Like Telnet, R-Services send data unencrypted.
R-services use ports 512, 513, and 514, and are accessed through r-commands. They are commonly used by commercial operating systems like Solaris, HP-UX, and AIX.
Default Port: 512,513,514
Banner grabbing
nc -nv $IP 512
nc -nv $IP 513
nc -nv $IP 514Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
# Default NSE
sudo nmap -sCV -p512,513,514 $IPR-commands
The R-commands suite consists of the following programs:
- rcp:
remote copy - rexec:
remote execution - rlogin:
remote login - rsh:
remote shell - rwho:
remote who - rstat
- ruptime
Each command has its intended functionality; however, this is the most commonly abused r-commands.
| Command | Service Daemon | Port | Protocol | Description |
|---|---|---|---|---|
rcp | rshd | 514 | TCP | Copies files between local and remote systems (or remote-to-remote) without warning when overwriting files. |
rsh | rshd | 514 | TCP | Opens a remote shell without a login procedure, using trusted entries in /etc/hosts.equiv and .rhosts. |
rexec | rexecd | 512 | TCP | Runs commands on a remote machine with username/password authentication over an unencrypted network. |
rlogin | rlogind | 513 | TCP | Logs into a remote Unix host, similar to telnet, using trusted entries for authentication. |
# Login with rlogin
rlogin $IP -l administrator
# Once connected,
# this command can be use to enumerate manually.
> rwho # Same as (who) command in Linux
> rusers -al $IP # Detailed account of all logged-in usersConfig files
cat /etc/hosts.equiv # Contains a list of trusted hosts (users with trusted hosts access the system, no authentication needed.)
cat .rhosts # Provides a per-user configuration.