Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol)

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 12 Mar 2010 18:38:59 +0100
Michael Schierl <schierlm () gmx de> wrote:

> [Please Cc: me as I am not subscribed to the list. Thanks.]
>
> Hello,

Hi Michael, thanks for your contribution.

> I tried to write a probe for JDWP, which you can find open in some
> corporate networks to enable people debugging services running on some
> servers (an open port in the internet might be desastrous to the
> security of the system, though, as the debugger can upload any Java
> code and run it).

Yeah this would sure be nice to detect.  I don't seem to have any hosts
with port 8000 tcpwrapped or I'd test.

> However, JDWP is quite picky about who it speaks to. The conversation
> has to start with the magic string "JDWP-Handshake", or the socket is
> closed immediately. In addition, if that string is not received within
> the first two seconds, the port is also closed.
>
> Currently, the null probe will timeout and report the port as
> tcpwrapped, and my script is not even run. When reducing the timeout
> of the null probe to 1 second for example, my probe will work (and
> detect the jdwp version just fine), but of course this is not good for
> detecting other protocols. I don't really know how I can tell nmap to
> try this probe on ports that were previously closed (tcpwrpped) when
> trying the null probe.

Well I haven't looked at the code and I suspect the NULL probe wins out
over all other probes.

Your jdwp probe did not use the "ports ..." directive.  Try adding
"ports 8000" to your probe and then move your probe *above* the NULL
probe.

As an aside, the rarity for this probe should probably be 9.  You set
the match to:

match jdwp 
m|JDWP-Handshake\0\0..\0\0\0\x01\x80\x00\x00\x00\x00..([^\0\n]*)(\n[^\0]*)\0\0..\0\0..\0\0..([0-9._]+)\0\0..(.*)| p/$1/ 
v/$3/ i/$2\n$4/


You want to anchor this match with a ^ if possible.  Also, you make use
o '.' to match anything so I suspect you want to use the 's' flag at
the end of the match to allow . to match newlines.  Finally, you
capture the the entire rest of the response with (.*).  This has a
reasonably high chance of run-away matching and then causing Nmap to
print an error that too much content was matched.  Since it becomes the
v// string, you should think about trying to restrict to something like
[a-zA-Z0-9 _-].

> Documentation for JDWP is available at
> http://java.sun.com/j2se/1.5.0/docs/guide/jpda/jdwp-spec.html
>
> The probe below sends a VirtualMachine_Version request, documented at
> http://java.sun.com/j2se/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html#JDWP_VirtualMachine_Version
>
> To try it, take any java program (which is run via the
> normal java launcher) and add
>
> -Xrunjdwp:transport=dt_socket,server=y,address=8000,suspend=n
>
> as first parameter between the java binary and the other parameters
> (class path, jar etc.) This will listen on port 8000 and not suspend
> the VM (so the program will continue running fine as long as the
> debugger does not send a suspend command).
>
> Regards,
>
> Michael

This is good info.  I'm thinking though that rather than a probe and
match, this would be better handled with a NSE version script.  You
could handle the tcpwrapped problem easily.  You could even send a
command to gather system info like "uname -a" if possible.

Would you be willing to convert this probe/match to a version script?
You can look at the Skype version script for a messy example of how to
write a version script.

Regards,

Brandon


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAkua7boACgkQqaGPzAsl94IT3ACgqq78fVc80yBFaC/qaUuwPF49
w54An0WCcIZdt3i2O2b+2y5Hspg5DR6E
=Daxl
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/