R-Service (512,513,514)


Cheat sheet

R Services Enumeration (rsh, rlogin, rexec)

CommandDescription
nmap -p 512,513,514 <target>Scan for rexec (512), rlogin (513), rsh (514)
nmap -sV -p 512,513,514 <target>Service/version detection
rlogin -l <user> <target>Connect using rlogin
rsh <target> -l <user> <command>Execute remote command via rsh
rexec <target>Start interactive rexec session
rwhoShow logged-in users on local network
rusers -al <target>List users on remote host
hydra -l user -P rockyou.txt rsh://<target>Brute-force rsh (rarely used, low success)
nmap -p 512 --script rexec-brute <target>Brute-force rexec credentials
nmap -p 514 --script rsh-brute <target>Brute-force rsh credentials

NSE Scripts

find / -type f -name "*r*" 2>/dev/null | grep scripts

/usr/share/nmap/scripts/rexec-brute.nse
/usr/share/nmap/scripts/rsh-brute.nse

R Services are a family of trust-based, plaintext remote shell protocols from early UNIX systems.

These include:

• RSH (Remote Shell) → Port 514
• RLogin → Port 513
• RExec → Port 512

They allow remote shell access without encryption, and often without authentication if the target trusts the source IP and username.

R Services Overview

CommandService DaemonPortTransport ProtocolDescription
rcprshd514TCPCopy files between systems like cp, but no prompt before overwriting files. No encryption or authentication beyond .rhosts or hosts.equiv.
rshrshd514TCPRun remote shell commands without login prompts. Uses .rhosts and hosts.equiv for trust-based authentication.
rexecrexecd512TCPRun remote shell commands with username and password sent in plaintext. Trust config may bypass credentials.
rloginrlogind513TCPRemote login similar to telnet, but Unix-only. Trust config can bypass login. Passwords sent in cleartext.