> For the complete documentation index, see [llms.txt](https://thescriptkid.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thescriptkid.gitbook.io/notes/credential-less-enumeration/r-services.md). # R-Services ## Frequently Abused Commands

Command	Service Daemon	Port	TCP/UDP	Description
`rcp`	`rshd`	514	TCP	Copy a file or directory bidirectionally from the local system to the remote system (or vice versa) or from one remote system to another. It works like the `cp` command on Linux but provides `no warning to the user for overwriting existing files on a system`.
`rsh`	`rshd`	514	TCP	Opens a shell on a remote machine without a login procedure. Relies upon the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files for validation.
`rexec`	`rexecd`	512	TCP	Enables a user to run shell commands on a remote machine. Requires authentication through the use of a `username` and `password` through an unencrypted network socket. Authentication is overridden by the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files.
`rlogin`	`rlogind`	513	TCP	Enables a user to log in to a remote host over the network. It works similarly to `telnet` but can only connect to Unix-like hosts. Authentication is overridden by the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files.

## Trusted Hosts File ### /etc/hosts.equiv

The /etc/hosts.equiv file contains a list of trusted hosts and is used to grant access to other systems on the network. When users on one of these hosts attempt to access the system, they are automatically granted access without further authentication.

### .rhosts

> Note: The `hosts.equiv` file is recognized as the global configuration regarding all users on a system, whereas `.rhosts` provides a per-user configuration. ## Scanning for R-Services ``` sudo nmap -sV -p 512,513,514 10.0.17.2 ```

## Logging in Using Rlogin {% code overflow="wrap" %} ``` rlogin 10.0.17.2 -l htb-student ``` {% endcode %}

## Listing Authenticated Users Using Rwho ``` rwho ```

## Listing Authenticated Users Using Rusers {% code overflow="wrap" %} ``` rusers -al 10.0.17.5 ``` {% endcode %}

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thescriptkid.gitbook.io/notes/credential-less-enumeration/r-services.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.