Nmap Development mailing list archives
Re: Java RMI service finderprint?
From: Martin Holst Swende <martin () swende se>
Date: Wed, 14 Sep 2011 08:39:01 +0200
Nice work! I haven't tested it yet, need to set up an RMI test environment again after a clean install. However, some thoughts from looking at the source: - There are some issues with your source code formatter. See for example rmi.lua:347 and onwards, where the code starts creeping to the right. - In rmi.lua:405, there is a variable handles, which is 'script-local', and, afaict shared by all script instances using the library. That variable get's cleaned out at line 949, when an instance of a script reads returndata from a method call. So, at a glance, it looks like there could be issues if multiple instances of scripts are using the library simultaneously...? - in rmi-dumpregistry: The svn-version uses 'java-rmi', but yours uses 'rmi' in the @output-section, but 'jrmi' (with J) in the portrule and port.version.name. - Similarly, in rmi-jmx.nse, your portrule is: portrule = shortport.port_or_service({1098, 1099, 1090, 8901, 8902, 8903}, {"jrmi"}) , but reporting is: port.version.name ='rmi' Related to what java rmi is called, in nmap-services, there is this entrance: rmiactivation 1098/tcp 0.000380 # RMI Activation rmiactivation 1098/udp 0.000991 # RMI Activation rmiregistry 1099/tcp 0.000380 # RMI Registry rmiregistry 1099/udp 0.000661 # RMI Registry The nmap-service-probes looks like this: Probe TCP JavaRMI q|\x4a\x52\x4d\x49\0\x02\x4b| rarity 8 ports 706,1098,1099,1981 match rmiregistry m|^\x4e..[0-9.]+\0\0..$|s p/Java RMI/ match rmiregistry m|^\x4e..([\w._-]+)\0\0..$|s p/GNU Classpath grmiregistry/ h/$1/ So, it's a bit of a mess, and in conclusion: - If a user scans a closed or filtered port 1098/1099, it will display as 'rmiactivation'/'rmiregistry' - If a user does service scan of any non-standard port with rmi, it will display as 'rmiregistry' - If a user does script scan on 1098/1099 etc, it will display as 'rmi' or 'jrmi' Here is an alternate suggestion: * services uses 'rmiregistry' for 1098, 1099, because those are the standard ports for the registry. Does anyone know what rmi activation is? * service probes uses 'java-rmi'. The probe (afaict) does not go deep enough to actually determine if the endpoint is a registry or some other kind of rmi service. * the scripts uses 'rmiregistry' when an rmi registry is detected. Cheers! /Martin On 09/14/2011 02:01 AM, Gabriel Lawrence wrote:
Hey guys, I've made some changes to this that make it work in more situations and make it cleaner when anonymous access is on. The older version would succeed for everything in your brute force dictionary when anonymous was on... making for some really big result sets. Doh. This tar includes a modified rmi.lua, modified rmi-dumpregistry.nse and a new rmi-jmx.nse. Let me know what you think. gabe On Thu, Jun 30, 2011 at 10:28 AM, Gabriel Lawrence < gabriel.lawrence () gmail com> wrote:Martin, I'm illogical ;-) I've got a modified rmi.lua and rmi-jmx.nse that will bruteforce JMX logins. I've attached at tar file of the three scripts for you to take a look at. I need to do some cleanup and commenting still, but it works for me. Let me know what you think. I'd like to submit this back to nmap, but with the the changes i made to ssl-enum-ciphers getting totally ignored i'm not sure the best way to make sure that this effort gets used. Hopefully, if you support this it will be easy to get it in. To get this to work, i had to modify the rmi.lua library a bit. It had some specific stuff that was only accurate for the RMI Registry calls that it was doing, so I cleaned that up and I added a few more argument types to support the login. It first tries to login anonymously, then it uses the brute library to brute-force its way through things. Assuming you think this looks reasonable, i'll clean it up a bit and add some comments and send it to the list. Below is output: glawrenc@glawrenc-linux:/usr/local/share/nmap$ nmap -sV -p9999 -script=rmi-jmx localhost Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-06-30 10:24 PDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000097s latency). PORT STATE SERVICE VERSION 9999/tcp open rmi Java RMI Registry | rmi-jmx: | JMX Version: 1.0 java_runtime_1.6.0_20-b20 | Anonymous access denied. | guest:gt access to JMX Service | Beans | Catalina:type=Loader,context=/AppletProxy,host=localhost-ssl | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=foo/bar/name2 | Catalina:type=WebappClassLoader,context=/,host=localhost | Catalina:type=Valve,context=/SessionTest2,host=localhost,name=NonLoginAuthenticator | Catalina:j2eeType=Servlet,name=stock,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,context=/AppletProxy,host=localhost,name=StandardContextValve | Catalina:j2eeType=Servlet,name=HelloWorldExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestParamExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | java.lang:type=MemoryPool,name=Code Cache | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Resource,resourcetype=Global,class=org.apache.catalina.UserDatabase,name="UserDatabase" | Catalina:j2eeType=Servlet,name=async3,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async1,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async2,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async0,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost-ssl,context=/AppletProxy | Catalina:type=Valve,context=/SessionTest2,host=localhost-ssl,name=NonLoginAuthenticator | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=WebModule,name=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestHeaderExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=NamingResources | java.lang:type=MemoryPool,name=PS Eden Space | java.lang:type=Memory | Catalina:type=Manager,context=/SessionTest2,host=localhost-ssl | Catalina:type=Realm,realmPath=/realm0 | Catalina:type=MBeanFactory | Catalina:type=ThreadPool,name="http-apr-8443" | Catalina:j2eeType=Servlet,name=RequestHeaderExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/AppletProxy,host=localhost | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=servletToJsp,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/examples,host=localhost-ssl | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=foo/name1 | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=NamingResources,context=/,host=localhost-ssl | Catalina:type=WebappClassLoader,context=/AppletProxy,host=localhost-ssl | Catalina:type=Valve,context=/,host=localhost,name=StandardContextValve | Catalina:j2eeType=Servlet,name=CookieExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=NamingResources,context=/examples,host=localhost | Catalina:type=Manager,context=/examples,host=localhost | Catalina:type=Cache,host=localhost,context=/examples | Catalina:type=Valve,context=/examples,host=localhost-ssl,name=FormAuthenticator | Catalina:j2eeType=WebModule,name=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=WebModule,name=//localhost/,J2EEApplication=none,J2EEServer=none | java.lang:type=MemoryPool,name=PS Survivor Space | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost-ssl,context=/ | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | java.lang:type=Compilation | Catalina:j2eeType=WebModule,name=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=minExemptions | Catalina:type=Loader,context=/SessionTest2,host=localhost | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=Set Character Encoding,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=foo/name4 | java.lang:type=Runtime | Catalina:type=WebappClassLoader,context=/SessionTest2,host=localhost | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Manager,context=/examples,host=localhost-ssl | Catalina:j2eeType=Servlet,name=stock,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=WebappClassLoader,context=/,host=localhost-ssl | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Manager,context=/AppletProxy,host=localhost | Catalina:type=NamingResources,context=/,host=localhost | Users:type=UserDatabase,database=UserDatabase | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=minExemptions | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=foo/bar/name2 | Catalina:j2eeType=Servlet,name=ChatServlet,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=ProtocolHandler,port=8080 | Catalina:j2eeType=Filter,name=Timing filter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=com.qualcomm.itsecurity.appletproxy.AppletProxyServlet,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestInfoExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=ProtocolHandler,port=8443 | Catalina:type=Cache,host=localhost-ssl,context=/examples | Catalina:j2eeType=Filter,name=Request Dumper Filter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | java.util.logging:type=Logging | Catalina:type=Realm,realmPath=/realm0/realm0 | Catalina:type=Valve,name=StandardEngineValve | Catalina:type=Valve,context=/SessionTest2,host=localhost,name=StandardContextValve | Catalina:type=NamingResources,context=/examples,host=localhost-ssl | Catalina:type=NamingResources,context=/SessionTest2,host=localhost-ssl | com.sun.management:type=HotSpotDiagnostic | java.lang:type=GarbageCollector,name=PS Scavenge | Catalina:type=Mapper,port=8443 | Catalina:type=ThreadPool,name="ajp-apr-8009" | Catalina:type=Cache,host=localhost,context=/AppletProxy | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Deployer,host=localhost-ssl | Catalina:type=GlobalRequestProcessor,name="ajp-apr-8009" | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=foo/name4 | Catalina:type=Valve,host=localhost,name=AccessLogValve | Catalina:type=Manager,context=/,host=localhost-ssl | Catalina:j2eeType=Servlet,name=SessionExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost,context=/ | Catalina:j2eeType=Servlet,name=CompressionFilterTestServlet,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Connector,port=8443 | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Host,host=localhost | Catalina:type=Valve,host=localhost-ssl,name=ErrorReportValve | Catalina:type=Mapper,port=8009 | java.lang:type=MemoryPool,name=PS Perm Gen | Catalina:type=Valve,context=/examples,host=localhost,name=FormAuthenticator | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Connector,port=8009 | Catalina:type=GlobalRequestProcessor,name="http-apr-8080" | Catalina:type=NamingResources,context=/AppletProxy,host=localhost-ssl | java.lang:type=MemoryPool,name=PS Old Gen | Catalina:j2eeType=Servlet,name=async0,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async1,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async2,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | java.lang:type=GarbageCollector,name=PS MarkSweep | Catalina:j2eeType=Servlet,name=async3,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=Compression Filter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=Request Dumper Filter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Mapper,port=8080 | Catalina:j2eeType=Servlet,name=com.qualcomm.itsecurity.appletproxy.AppletProxyServlet,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestInfoExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,context=/SessionTest2,host=localhost-ssl,name=StandardContextValve | Catalina:type=ServerClassLoader,name=common | Catalina:j2eeType=Filter,name=Timing filter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/,host=localhost | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=SessionExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=CookieExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/examples,host=localhost | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=name3 | java.lang:type=ClassLoading | Catalina:j2eeType=WebModule,name=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Deployer,host=localhost | java.lang:type=Threading | Catalina:type=Valve,context=/examples,host=localhost,name=StandardContextValve | Catalina:type=Server | Catalina:j2eeType=Servlet,name=CompressionFilterTestServlet,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=name3 | Catalina:type=ThreadPool,name="http-apr-8080" | Catalina:type=Valve,host=localhost-ssl,name=StandardHostValve | Catalina:type=GlobalRequestProcessor,name="http-apr-8443" | Catalina:j2eeType=Filter,name=Compression Filter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,host=localhost-ssl,name=AccessLogValve | Catalina:type=Loader,context=/SessionTest2,host=localhost-ssl | Catalina:type=Engine | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Manager,context=/,host=localhost | java.lang:type=MemoryManager,name=CodeCacheManager | Catalina:type=Valve,context=/AppletProxy,host=localhost,name=NonLoginAuthenticator | Catalina:j2eeType=Servlet,name=ChatServlet,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Host,host=localhost-ssl | Catalina:type=NamingResources,context=/SessionTest2,host=localhost | Catalina:j2eeType=Servlet,name=HelloWorldExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=WebModule,name=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,host=localhost,name=ErrorReportValve | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=servletToJsp,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=WebappClassLoader,context=/AppletProxy,host=localhost | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=foo/name1 | Catalina:type=Loader,context=/,host=localhost-ssl | Catalina:type=Valve,context=/examples,host=localhost-ssl,name=StandardContextValve | Catalina:j2eeType=WebModule,name=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost-ssl,context=/SessionTest2 | Catalina:type=WebappClassLoader,context=/SessionTest2,host=localhost-ssl | Catalina:type=Manager,context=/AppletProxy,host=localhost-ssl | Catalina:type=WebappClassLoader,context=/examples,host=localhost-ssl | Catalina:type=Valve,host=localhost,name=StandardHostValve | Catalina:type=Valve,context=/,host=localhost-ssl,name=StandardContextValve | Catalina:type=WebappClassLoader,context=/examples,host=localhost | Catalina:type=Valve,context=/AppletProxy,host=localhost-ssl,name=StandardContextValve | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | java.lang:type=OperatingSystem | Catalina:type=Valve,context=/AppletProxy,host=localhost-ssl,name=NonLoginAuthenticator | Catalina:type=StringCache | Catalina:type=Service | Catalina:j2eeType=Filter,name=Set Character Encoding,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost,context=/SessionTest2 | Catalina:type=Manager,context=/SessionTest2,host=localhost | Catalina:type=NamingResources,context=/AppletProxy,host=localhost | Catalina:type=ProtocolHandler,port=8009 | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Connector,port=8080 | Catalina:j2eeType=WebModule,name=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestParamExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none |_ JMImplementation:type=MBeanServerDelegate Cheers, gabe On Tue, Jun 14, 2011 at 10:37 AM, Martin Holst Swende <martin () swende se>wrote:The 'next step', which I started at, would be to write an authentication-script for the jmx-connector, and use the bruteforce library to perform credentials guessing against the jmx service. I abandoned it for other things (as I recall it, authentication is a multistep process where the return values of the first call must be handled correctly - which was not trivial. Writing a bruteforcer based on java seemed much more logical, so I kind of let it go) - but I may make another effort, it would be pretty cool to have around. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Java RMI service finderprint? Gabriel Lawrence (Sep 13)
- Re: Java RMI service finderprint? Martin Holst Swende (Sep 13)