Nmap Development mailing list archives
NSE: RMI Dumpregistry
From: Martin Holst Swende <martin () swende se>
Date: Sun, 20 Jun 2010 00:31:33 +0200
Hi list, I have (inspired by [1]) implemented an nse script which connects to a Java RMI Registry and dump out the names of all bound objects. It then loops over those names and performs lookup, which retrieves some more info, namely the class hash, the implemented interfaces and superclass hierarchy. I imagine this can be quite useful since it may tell quite a bit about the application - depending on how it uses the registry. For example, if the app uses JMX (Java Management eXtensions) which is a kind of framework to administer any java application remotely, the registry will contain a "jmxconnector" object. There may be quite a handful of applications which could be fingerprinted by the object names in the registry, but I have not performed extensive testing on that. Also, if the objects are of a public type, i.e you can download the class-files from somewhere, it is a giveaway that it is possible to explore the app further using native java RMI instead, and interact directly with the application. If they are proprietary or hidden, the interface name or object name may still provide useful input for fingerprinting. The script uses a library for RMI, which is included in the attachment. I have written quite a lot of documentation inside the library, so I'll keep it short here. It can invoke simple methods over RMI, and one thing I think would be very nice to use it for as a next project, is to write a bruteforcer for jmx. It seems to be pretty simple (the network dump I looked at while connecting to a JMX console with JConsole showed the password in plain text - so it seems to not even to be a challenge-response process). It should also be possible to use the library to skip the registry-lookup and connect directly to other stuff, if you know what the application is (and know what object id's are addressable and how their method signature look) - e.g write another script to interact with Neo4j or some other RMI based java app. Files are attached, but also available from http://martin.swende.se/hgwebdir.cgi/nsescripts/ 1: http://aboulton.blogspot.com/2009/04/security-assessing-java-rmi-slides.html Regards, Martin Holst Swende ps. One problem I run into pretty often is that RMI is often not detected, since different apps tend to open ports on different places. They are usually only found using --version-all, so it makes it difficult to run the script. Would it be possible to include the rmi-payload less restrictively?
Attachment:
rmi.tar.gz
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE: RMI Dumpregistry Martin Holst Swende (Jun 19)