07 Apr, 2023

Remote LOGIN

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

The rlogin protocol is a remote login protocol used to allow a user on one host to log in to another host on the same network. It is implemented as a client-server protocol and is typically used to provide users with access to remote servers and systems. The protocol establishes a TCP connection between the rlogin client and server, and the user enters their username and password for authentication. Once authenticated, the user can execute commands and interact with the remote system through a shell.

RLOGIN common ports

Port 513 – This is the default port used by RLOGIN.

Port 23 – This port is also commonly used by RLOGIN, as well as other remote login protocols such as Telnet.

Any other port specified by the system administrator – The system administrator may choose to use a different port for RLOGIN to increase security or avoid conflicts with other services.

Standard commands from unauthorized users

ls: List the contents of a directory.

cd: Change the current working directory.

cat: Display the contents of a file.

cp: Copy a file.

mv: Move a file.

rm: Remove a file.

mkdir: Create a new directory.

rmdir: Remove an empty directory.

chmod: Change the permissions of a file or directory.

chown: Change the owner of a file or directory.

Tools for using protocol RLOGIN

Manual Tools:

  • Telnet – A simple network protocol that allows you to establish a connection to a remote server using the command line. Telnet can be used to test RLOGIN by connecting to port 513/tcp and attempting to log in to the remote server.

  • PuTTY – A free, open-source terminal emulator that supports various network protocols, including RLOGIN. PuTTY can be used to connect to a remote server using RLOGIN by specifying the port number and entering the login credentials.

  • Cyberduck – A file transfer client that supports various protocols, including RLOGIN. Cyberduck can be used to connect to a remote server using RLOGIN and transfer files between the local and remote systems.

  • SecureCRT – A commercial terminal emulator that supports various network protocols, including RLOGIN. SecureCRT can be used to connect to a remote server using RLOGIN, and it includes features such as tabbed sessions, customizable toolbars, and scripting support.

  • Xshell – A terminal emulator that supports various network protocols, including RLOGIN. Xshell can be used to connect to a remote server using RLOGIN and includes features such as tabbed sessions, customizable keymaps, and scripting support.

  • Netcat – A simple network utility that can be used for port scanning, file transfer, and remote shell access. Netcat can be used to test RLOGIN by connecting to port 513/tcp and attempting to log in to the remote server.

  • Nmap – A port scanning tool that can be used to identify open ports on a remote server. Nmap can be used to scan for open RLOGIN ports and test for vulnerabilities.

  • Wireshark – A network protocol analyzer that can be used to capture and analyze network traffic. Wireshark can be used to capture RLOGIN traffic and identify potential security issues.

  • tcpdump – A command-line tool that can be used to capture network packets. tcpdump can be used to capture RLOGIN traffic and analyze it for potential security issues.

  • Manual Penetration Testing – A manual approach to testing RLOGIN involves using a combination of tools and techniques to identify vulnerabilities and exploit them. This approach typically involves a skilled security professional and may include techniques such as social engineering, password cracking, and network sniffing.

Automated Tools:

  • Metasploit Framework – An open-source penetration testing tool that includes various modules for testing network security. Metasploit includes an RLOGIN module that can be used to test for vulnerabilities and exploit them.

  • Nessus – A commercial vulnerability scanner that can be used to identify security issues on a network. Nessus includes a plugin for testing RLOGIN and can provide detailed reports on potential vulnerabilities.

  • OpenVAS – An open-source vulnerability scanner that can be used to identify security issues on a network. OpenVAS includes a plugin for testing RLOGIN and can provide detailed reports on potential vulnerabilities.

  • Nikto – An open-source web server scanner that can be used to identify vulnerabilities in web applications. Nikto includes a plugin for testing RLOGIN and can provide detailed reports on potential vulnerabilities.

  • ZAP (Zed Attack Proxy) – An open-source web application security testing tool that can be used to identify vulnerabilities in web applications. ZAP includes a plugin for testing RLOGIN and can provide detailed reports on potential vulnerabilities.

  • OWASP Amass – An open-source tool for performing reconnaissance and network mapping. OWASP Amass includes modules for testing RLOGIN and can provide detailed reports on potential vulnerabilities.

  • Snort – An open-source intrusion detection system that can be used to monitor network traffic for potential security issues. Snort includes rules for detecting RLOGIN traffic and can alert on potential threats.

  • Fail2ban – An open-source intrusion prevention system that can be used to block brute-force attacks. Fail2ban includes a plugin for detecting RLOGIN brute-force attacks and can block IP addresses that exhibit such behavior.

  • Brutus – A commercial password cracking tool that can be used to test the strength of passwords. Brutus can be used to test RLOGIN passwords and identify weak passwords that may be vulnerable to brute-force attacks.

  • Hydra – An open-source password cracking tool that can be used to test the strength of passwords. Hydra can be used to test RLOGIN passwords and identify weak passwords that may be vulnerable to brute-force attacks.

Last five known CVE for RLOGIN

CVE-2014-5355: MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a ‘\0’ character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the ‘\0’ character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c. 

CVE-2010-2967: The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks before 6.9 does not properly support a large set of distinct possible passwords, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. 

CVE-2010-2966: The INCLUDE_SECURITY functionality in Wind River VxWorks 6.x, 5.x, and earlier uses the LOGIN_USER_NAME and LOGIN_USER_PASSWORD (aka LOGIN_PASSWORD) parameters to create hardcoded credentials, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session.

CVE-2008-4212: Unspecified vulnerability in rlogind in the rlogin component in Mac OS X 10.4.11 and 10.5.5 applies hosts.equiv entries to root despite what is stated in documentation, which might allow remote attackers to bypass intended access restrictions. 

CVE-2007-0670: Buffer overflow in bos.rte.libc in IBM AIX 5.2 and 5.3 allows local users to execute arbitrary code via the “r-commands”, possibly including (1) rdist, (2) rsh, (3) rcp, (4) rsync, and (5) rlogin.

Standard  commands from unauthorised

rlogin -l root <ip>

Bruteforce connection

nmap -p 513 –script rlogin-brute <ip>

Useful information

RLOGIN is an insecure protocol, as it transmits login credentials in plaintext over the network, making them vulnerable to interception and exploitation by attackers.

RLOGIN is typically used on Unix and Unix-like systems.

RLOGIN allows users to log in to a remote system and execute commands on that system as if they were physically present at the system’s console.

RLOGIN is rarely used today due to its inherent security weaknesses, and has largely been replaced by more secure remote login protocols such as SSH.

Known banners

“SSH ready” – This banner indicates that the SSH server is ready to accept connections from SSH clients.

“SSH authentication successful” – This banner indicates that the SSH client has successfully authenticated with the SSH server.

“SSH connection closed” – This banner indicates that the SSH connection has been closed, either by the client or the server.

“FTP ready” – This banner indicates that the FTP server is ready to accept connections from FTP clients.

“SMTP ready” – This banner indicates that the SMTP server is ready to accept email messages from SMTP clients.

“HTTP/HTTPS ready” – This banner indicates that the HTTP/HTTPS server is ready to serve web pages to HTTP/HTTPS clients.

“DNS server ready” – This banner indicates that the DNS server is ready to receive queries from DNS clients.

Books for studies The Internet Key Exchange (IKE) protocol

Unix Network Programming, Volume 1: The Sockets Networking API by W. Richard Stevens – This book covers the fundamentals of networking in Unix systems, including RLOGIN and other remote login protocols. It includes code examples and practical advice for implementing network applications.

TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens – This book provides a comprehensive overview of the TCP/IP protocol suite, including RLOGIN and other remote login protocols. It includes detailed explanations and illustrations of how the protocols work.

SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett and Richard E. Silverman – While this book focuses on the SSH protocol rather than RLOGIN, it includes a discussion of RLOGIN and other legacy remote login protocols. It provides an overview of the security issues with these protocols and the benefits of using SSH instead.

Network Security with OpenSSL by John Viega, Matt Messier, and Pravir Chandra – This book covers the OpenSSL library, which includes support for both RLOGIN and SSH. It includes information on how to use OpenSSL to secure network communications and implement secure remote login.

Practical UNIX and Internet Security, 3rd Edition by Simson Garfinkel, Gene Spafford, and Alan Schwartz – This book provides a comprehensive overview of Unix and Internet security, including a discussion of remote login protocols such as RLOGIN and Telnet. It includes practical advice for securing network communications and protecting against security threats.

Mitigation

  1. Disable RLOGIN – If possible, disable RLOGIN on all servers and workstations. This will eliminate the risk of RLOGIN-related security breaches.

  2. Use SSH instead of RLOGIN – SSH is a much more secure alternative to RLOGIN, and can be used for remote access to servers and workstations.

  3. Use a VPN – If RLOGIN is necessary, use a virtual private network (VPN) to encrypt the connection and protect against eavesdropping.

  4. Implement Two-Factor Authentication – Use two-factor authentication to add an additional layer of security to RLOGIN. This can help prevent unauthorized access to the system.

  5. Encrypt Passwords – Use encryption to protect passwords when they are transmitted over the RLOGIN connection. This can help prevent password sniffing attacks.

  6. Restrict Access – Restrict access to RLOGIN to only authorized users. This can help prevent unauthorized access to the system.

  7. Audit RLOGIN Usage – Monitor RLOGIN usage and audit login attempts for signs of suspicious activity. This can help detect and prevent security breaches.

  8. Use Firewall Rules – Use firewall rules to restrict access to RLOGIN from external networks. This can help prevent attacks from outside the organization.

Conclusion

The rlogin protocol is insecure as it transmits data in clear text, making it vulnerable to attacks such as eavesdropping, password interception, and impersonation. It has been replaced by more secure protocols like SSH and HTTPS. The use of rlogin should be avoided wherever possible, and if unavoidable, measures such as limiting access, firewall configuration, encryption of sensitive data, and strong authentication should be taken to mitigate risks.

Other Services

Ready to secure?

Let's get in touch