logo

Port 512 – REXEC (Remote Execution)

Service:

rexec

Protocol:

TCP

Port:

512

Used for:

Remote execution service for Unix systems

Why It’s Open

Port 512 is used by the Remote Process Execution (REXEC) protocol, a legacy Unix service that allows remote execution of commands. This service was commonly used in early Unix environments for remote administration but is now considered highly insecure due to its lack of encryption and weak authentication.

System administrators historically used REXEC for remote command execution between trusted hosts. While largely obsolete, it may still be found on legacy systems or in environments with outdated security practices.

Common Risks

  • Clear-text Authentication
    Credentials are transmitted without encryption
  • Command Injection
    Weak input validation can lead to unauthorized execution
  • Privilege Escalation
    Successfully exploited REXEC can grant system access
  • Network Sniffing
    All commands and data are transmitted in plaintext
  • Brute Force Attacks
    No lockout mechanisms for failed authentication

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Check if it’s open:

Terminal window
nmap -sT -p 512

Test REXEC connection:

Terminal window
nc -vn  512

Attempt authentication:

Terminal window
rexec

What to Look For

CheckpointWhat it means
REXEC service runningLegacy insecure service exposed
No encryption in useAll traffic visible to sniffers
Weak authenticationSusceptible to credential attacks
System commands allowedRemote code execution possible

Mitigation

  • Disable REXEC
    Remove or disable the REXEC service entirely
  • Use SSH
    Replace with secure shell (SSH) for remote execution
  • Access Controls
    If required, restrict to specific trusted hosts
  • Network Isolation
    Run only on isolated management networks
  • Logging
    Enable comprehensive logging of all REXEC activity

Real World Example

In 2021, security researchers discovered active exploitation of REXEC services in industrial control systems, where attackers used credential spraying to gain unauthorized access to legacy Unix systems.

TL;DR

  • Port 512 = REXEC service
  • Extremely insecure legacy protocol
  • Should be replaced with SSH
  • No legitimate modern use case

Known CVEs and Exploits

  • CVE-1999-0651 – REXEC authentication bypass vulnerability
  • Metasploit rexec_login module – Automated credential brute forcing
  • Hydra REXEC module – Multi-threaded password attacks