CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/auxiliary/scanner/rservices/rsh_login.md
Views: 1904
Vulnerable Application
The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s. These services are all but unused in modern computing, as they have been replace by telnet and ssh.
rsh
relies on host names as a security mechanism. Utilizing +
can wildcard so any computer can connect. In the following config, we'll utilize that wildcarded setting to simplify our exploitation. This is a glaring security issue!!! However, there are exceptions to this in proprietary Unix systems which may include other mechanisms such as Kerberos (AIX)
If you encounter Host address mismatch for
..., you may need to adjust your /etc/hosts
file accordingly.
The following was done on Kali linux:
apt-get install rsh-server
which includes:rexecd
,rlogind
andrshd
.echo "+" > ~/.rhosts
Start the service:
service openbsd-inetd start
Verification Steps
Install and configure rexec
Start msfconsole
Do:
use auxiliary/scanner/rservices/rsh_login
Do:
set rhosts
Set any other credentials that will need to be set
Do:
run
Scenarios
A run against the configuration from these docs
Confirming
At the time of writing this, there was no nmap
script equivalent. Most modern systems have also replaced rsh
with ssh
.