Skip to content
ProtocolPorts

Port reference

Port 512 (TCP) – rexec

Legacy Berkeley remote-execution service that passes credentials in cleartext over the network.

tcpWell-knownCommonly attacked

Default state

Deprecated and disabled on modern systems, but still present on legacy Unix hosts and in lab images like Metasploitable.

Common attacks

  • Cleartext credential capture via sniffing
  • Trust-based authentication abuse via .rhosts files
  • Credential brute force against the rexec daemon
  • Remote command execution on misconfigured hosts

Hardening

  • Disable rexec entirely and use SSH (port 22) instead
  • Remove rexecd from inetd/xinetd and uninstall the r-services package
  • Block inbound 512 at the perimeter firewall
  • Audit and remove any .rhosts and hosts.equiv trust files

nmap snippet

nmap -p512 --script rexec-brute,banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 512?

Port 512 is the well-known port for rexec, one of the legacy Berkeley r-services for remote command execution. A client submits a username, password, and command, and the rexecd daemon runs it on the remote host. It dates from an era of trusted networks and has been deprecated for decades, but it still lingers on legacy Unix systems and deliberately vulnerable lab images like Metasploitable.

Why it matters for security

rexec has no encryption: usernames, passwords, and commands travel in cleartext, so anyone on the path can capture credentials. Worse, the r-services family supports trust-based authentication via .rhosts and hosts.equiv files, which can grant access with no password at all if spoofed or misconfigured. Combined, these make rexec one of the easiest legacy footholds an attacker can find.

How it's attacked

The simplest attack is passive sniffing to harvest cleartext credentials. With trust files in play, attackers spoof a trusted host to execute commands without authenticating. They also brute-force the rexec login and use any valid credentials for remote command execution on the host.

Hardening checklist

Disable rexec entirely and use SSH (port 22) for remote execution. Remove rexecd from inetd/xinetd and uninstall the r-services package. Block inbound 512 at the perimeter firewall, and audit and remove any .rhosts and hosts.equiv trust files that grant passwordless access. The nmap snippet above probes the service and tests authentication on systems you are authorized to test.

Related ports

Port 513Port 514Port 22Port 23

Frequently asked questions

Is rexec on port 512 safe to use?
No. rexec is a legacy Berkeley r-service that transmits usernames, passwords, and commands in cleartext with no encryption. It is trivially sniffed and should be replaced by SSH.
What replaces rexec?
SSH on port 22 provides encrypted, authenticated remote command execution. Disable rexec, remove its daemon, and use SSH for all remote execution instead.