> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/service-enumeration/linux-remote-management-protocols/r-services-512-513-514.md).

# R-Services (512, 513, 514)

Use this page to identify exposed R-services and trust-based access paths.

### Legacy R-services

R-Services are a collection of historical remote execution daemons designed to provide administrative terminal control between Unix environments across TCP ports `512`, `513`, and `514`.

### Structural architecture faults

* **Cleartext exposure** — like Telnet, all active commands, keystrokes, profiles, and configuration values travel across the network wire in raw unencrypted text. This makes them fully susceptible to local sniffing and MITM packet exploitation.
* **Legacy program suite**
  * `rcp` (Remote Copy — port `514`) — moves files bidirectionally without issuing overwrite warnings.
  * `rsh` (Remote Shell — port `514`) — spawns an unauthenticated remote execution shell environment by querying local trust files.
  * `rexec` (Remote Execution — port `512`) — executes single command strings using unencrypted passwords.
  * `rlogin` (Remote Login — port `513`) — establishes an interactive connection to a remote terminal host.

### Host trust relationship vulnerabilities

Authentication checking rules are entirely offloaded to simple flat-file records and can bypass standard authentication frameworks if certain strings match:

* `/etc/hosts.equiv` — global, machine-wide trust matrix.
* `~/.rhosts` — localized, individual profile mapping directory.

#### File entry syntax

Entries specify trusting relationships by mapping names and source addresses: `<username> <ip_address>` or `<username> <hostname>`.

```
htb-student     10.0.17.5
+               10.0.17.10
+               +
```

> The wildcard (`+`) security disaster: the plus character (`+`) serves as a broad wildcard indicator. If an entry states `+ +`, it tells the service engine to accept any incoming connection from any account name originating from any network IP address without prompting for authentication credentials.

### Footprinting and exploitation playbook

#### Step 1: Query target ports

```bash
sudo nmap -sV -p 512,513,514 <TARGET_IP>
```

#### Step 2: Exploit host trust arrays to gain direct access

```bash
# Attempt an unauthenticated login bypass into a target username account
rlogin <TARGET_IP> -l htb-student
```

#### Step 3: Network user enumeration

```bash
# Interrogate the network interface to see active logged-in profiles
rwho

# Extract precise login metadata (usernames, hostnames, TTY devices, connection times)
rusers -al <TARGET_IP>
```

### Summary protocol breakdown reference

| **Service daemon protocol** | **Standard TCP port** | **Transport medium**     | **Primary pentesting target vectors**                                                            |
| --------------------------- | --------------------- | ------------------------ | ------------------------------------------------------------------------------------------------ |
| SSH                         | `22`                  | Encrypted tunnel         | Account brute-forcing, password mutation sprays, exposed private key artifacts (`id_rsa`).       |
| Rsync                       | `873`                 | Cleartext delta stream   | Anonymous directory listings, unauthenticated file harvesting, extracting stored configurations. |
| R-Services                  | `512, 513, 514`       | Cleartext command socket | Passwordless remote code execution via wildcard entries (`+`) in `.rhosts` or `hosts.equiv`.     |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/service-enumeration/linux-remote-management-protocols/r-services-512-513-514.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
