# Pentesting R-Services

## Overview

* Legacy Unix suite, transmit data unencrypted. Largely replaced by SSH.
* Ports: TCP 512 (rexec), TCP 513 (rlogin), TCP 514 (rsh/rcp)

## R-Commands

| Command | Service Daemon | Port | Transport | Description                                                                                |
| ------- | -------------- | ---- | --------- | ------------------------------------------------------------------------------------------ |
| rcp     | rshd           | 514  | TCP       | Copy files between systems. Like `cp` but remote. No warning on overwrite.                 |
| rsh     | rshd           | 514  | TCP       | Open a shell on remote machine without login. Uses trusted entries in .rhosts/hosts.equiv. |
| rexec   | rexecd         | 512  | TCP       | Execute commands on remote with username and password.                                     |
| rlogin  | rlogind        | 513  | TCP       | Log in to remote Unix host. Similar to telnet but auto-login for trusted entries.          |

## Access Control Files

* `/etc/hosts.equiv` — global trusted hosts
* `~/.rhosts` — per-user trusted hosts
* Format: `<hostname> <username>` or `+ +` (trust everyone — very dangerous)

## Scanning

```
sudo nmap -sV -p 512,513,514 10.0.17.2
```

## Rlogin

```
rlogin 10.0.17.2 -l htb-student
```

## Rwho (show logged in users on remote hosts)

```
rwho
```

## Rusers

```
rusers -al 10.0.17.5
```