NSE: RMI Dumpregistry

[Martin Holst Swende <martin () swende se>]

Hi list,

I have (inspired by [1]) implemented an nse script which connects to a
Java RMI Registry and dump out the names of all bound objects. It then
loops over those names and performs lookup, which retrieves some more
info, namely the class hash, the implemented interfaces and superclass
hierarchy.

I imagine this can be quite useful since it may tell quite a bit about
the application - depending on how it uses the registry. For example, if
the app uses JMX (Java Management eXtensions) which is a kind of
framework to administer any java application remotely, the registry will
contain a "jmxconnector" object. There may be quite a handful of
applications which could be fingerprinted by the object names in the
registry, but I have not performed extensive testing on that.

Also, if the objects are of a public type, i.e you can download the
class-files from somewhere, it is a giveaway that it is possible to
explore the app further using native java RMI instead, and interact
directly with the application. If they are proprietary or hidden, the
interface name or object name may still provide useful input for
fingerprinting.

The script uses a library for RMI, which is included in the attachment.
I have written quite a lot of documentation inside the library, so I'll
keep it short here. It can invoke simple methods over RMI, and one thing
I think would be very nice to use it for as a next project, is to write
a bruteforcer for jmx. It seems to be pretty simple (the network dump I
looked at while connecting to a JMX console with JConsole showed the
password in plain text - so it seems to not even to be a
challenge-response process). It should also be possible to use the
library to skip the registry-lookup and  connect directly to other
stuff, if you know what the application is (and know what object id's
are addressable and how their method signature look) - e.g write another
script to interact with Neo4j or some other RMI based java app.

Files are attached, but also available from
http://martin.swende.se/hgwebdir.cgi/nsescripts/

1:
http://aboulton.blogspot.com/2009/04/security-assessing-java-rmi-slides.html

Regards,
Martin Holst Swende
ps. One problem I run into pretty often is that RMI is often not
detected, since different apps tend to open ports on different places.
They are usually only found using --version-all, so it makes it
difficult to run the script. Would it be possible to include the
rmi-payload less restrictively?

Attachment: rmi.tar.gz
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/