Skip to main content

R-Services

R-services are the insecure ancestor of SSH — remote access built on trust rather than authentication. A single + in a .rhosts file tells the host to trust anyone, and you log in as another user with no password at all. Rare today, but when you find them, they’re a free foothold.
Protocol: TCP · Ports: 512, 513, 514

What Are R-Services?

R-services were the de facto standard for remote access between Unix systems until SSH replaced them, precisely because of their built-in security flaws. Like telnet, they transmit everything — passwords, login info — unencrypted over the network, making them trivial to intercept with a man-in-the-middle attack. They span TCP ports 512, 513, and 514 and are accessed through a suite of programs called r-commands:
CommandDaemonPortDescription
rcp514Remote copy — copy files between hosts
rexecrexecd512Remote execution — run a command on a remote host
rloginrlogind513Remote login — like telnet, but trust-based
rshrshd514Remote shell — run commands without logging in
rwhorwhod513/udpList who’s logged in across the local network
rusersDetailed list of logged-in users network-wide

Default Configuration

The trust model lives in two files:
  • /etc/hosts.equiv — a system-wide list of trusted hosts. Users from these hosts are granted access without further authentication.
  • ~/.rhosts — a per-user version of the same idea.
By default these services use PAM (Pluggable Authentication Modules) for authentication, but hosts.equiv and .rhosts short-circuit that with a list of trusted host/user pairs. Entries follow the syntax <username> <ip-or-hostname>: 
# ~/.rhosts
htb-student   10.0.17.5
admin         workstn02
+             10.0.17.10
The + modifier is a wildcard meaning “anything.” In the example above, the + 10.0.17.10 line lets any external user access r-commands from the htb-student account via the host at 10.0.17.10.
A + in hosts.equiv or .rhosts is the misconfiguration that defines R-services exploitation. + + (trust any user from any host) is the worst case — it lets you authenticate as another user with no credentials at all, often leading straight to code execution.

Footprinting the Service

Scanning for R-Services

nmap -sV -p512,513,514 10.129.14.128

PORT    STATE SERVICE    VERSION
512/tcp open  exec       netkit-rsh rexecd
513/tcp open  login      OpenBSD or Solaris rlogind
514/tcp open  shell      Netkit rshd

Logging in with rlogin

When .rhosts is misconfigured, rlogin gets you onto the host as the trusted user with no password: 
rlogin 10.129.14.128 -l htb-student

Last login: Tue Jun 25 12:00 from 10.0.17.5
htb-student@target:~$ id
uid=1000(htb-student) gid=1000(htb-student) groups=1000(htb-student)
That successful login with no credentials is the .rhosts misconfiguration paying off.

Listing Logged-in Users with rwho

Once in, rwho lists all interactive sessions on the local network (it queries UDP port 513): 
rwho

htb-student  workstn01:pts/0   Jun 25 12:00
root         web01:pts/1       Jun 25 11:45
This is a username goldmine — here you can see htb-student is on workstn01 and root is logged into web01, all useful targets for further attacks.
The rwho daemon periodically broadcasts logged-on-user info across the network, so watching the traffic over time can surface users and hosts you’d otherwise miss.

More Detail with rusers

rusers gives a fuller picture than rwho — username, hostname, the TTY they’re on, login date/time, idle time, and the remote host they connected from: 
rusers -al 10.129.14.128

htb-student  workstn01:pts/0  Jun 25 12:00  2:14   (10.0.17.5)
root         web01:console    Jun 25 11:45  0:03

Quick Reference

CommandPurpose
nmap -sV -p512,513,514 <ip>Detect r-services
rlogin <ip> -l <user>Log in as a trusted user (no password if misconfigured)
rsh <ip> <command>Run a command remotely
rwhoList logged-in users on the network
rusers -al <ip>Detailed logged-in user info
The key file: hosts.equiv / .rhosts. A + wildcard means trust-anyone — log in as another user with no credentials. The footprinting flow: nmap for 512–514 → attempt rlogin against likely users → enumerate the network with rwho/rusers for more usernames and hosts to target.
Next: IPMI — baseboard management controllers and the infamous hash-retrieval flaw.