hacktricks/pentesting/1099-pentesting-java-rmi.md

# 1098/1099 - Pentesting Java RMI

## Basic Information

The Java Remote Method Invocation, or Java RMI, is a mechanism that allows an object that exists in one Java virtual machine to access and call methods that are contained in another Java virtual machine; This is basically the same thing as a [remote procedure call](https://null-byte.wonderhowto.com/how-to/hack-like-pro-exploit-and-gain-remote-access-pcs-running-windows-xp-0134709/), but in an object-oriented paradigm instead of a procedural one, which allows for communication between Java programs that are not in the same address space.

One of the major advantages of RMI is the ability for remote objects to load new classes that aren't explicitly defined already, extending the behavior and functionality of an application.  
From [here](https://null-byte.wonderhowto.com/how-to/exploit-java-remote-method-invocation-get-root-0187685/).

**Default port:** 1099, 1098

```text
PORT     STATE SERVICE     REASON
1099/tcp open  rmiregistry syn-ack
```

## Enumeration

The default configuration of `rmiregistry`allows loading classes from remote URLs, which can lead to remote code execution.

**Basically this service could allow you to execute code.**

```bash
msf> use auxiliary/scanner/misc/java_rmi_server
msf> use auxiliary/gather/java_rmi_registry
nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p <PORT> <IP>
```

### RMI methods enumeration

[https://github.com/BishopFox/rmiscout](https://github.com/BishopFox/rmiscout) to explore and try to find RCE vulnerabilities.  
[https://github.com/NickstaDB/BaRMIe](https://github.com/NickstaDB/BaRMIe) to enumerate and attack

## Reverse Shell

### MSF

```bash
msf> use exploit/multi/browser/java_rmi_connection_impl
```

## Shodan

* `port:1099 java`