Closed b4cktr4ck2 closed 3 years ago
Hey @b4cktr4ck2,
Happy to help out! Could you try running java -jar rmiscout-1.4-SNAPSHOT-all.jar list <IP> <PORT>
? RMIScout automatically bypasses cert validation, but that error could occur if there is unrecognized protocol (e.g., non-RMI). As the error message indicated, it's possible the remote service uses IIOP (usually runs on port 1050). You will need to run RMIScout with JRE 8 to use the IIOP feature.
If the above command, doesn't help. Try nmap --script rmi-dumpregistry <IP> -p <PORT> -Pn
, which is the nmap equivalent.
Let me know what you find!
Jake
Hey Jake- sure thing! I ran the command you recommended and got the following message from rmiscout:
Server is offline or does not use RMI, RMI-SSL, or RMI-IIOP.
What's interesting is that the nmap script doesn't return any data either- the only way I can get data from this port is from the "Fingerprint-Strings" script, which returns:
PORT STATE SERVICE REASON VERSION
11099/tcp open java-object syn-ack Java Object Serialization
| fingerprint-strings:
| NULL:
| java.rmi.MarshalledObject|
| hash[
| locBytest
| objBytesq
| %http://HOSTNAME.LOCAL:18083/q
| org.jnp.server.NamingServer_Stub
| java.rmi.server.RemoteStub
| java.rmi.server.RemoteObject
| xpwB
| UnicastRef2
Additionally, I noticed that when attempting to curl the host on port 11099, I receive an error message stating something about an sslv3 invalid handshake...I know my OpenSSL version was built without SSLV3 support- is it possible that this is the issue? The server doesn't support TLSv1.0 or anything newer than SSLv3.
Cheers!
So, I did a little research. This appears to be a deprecated JBOSS JNDI service. I verified this via a local install of an older version of JBOSS (using https://hub.docker.com/r/paulosalgado/jboss5). This was the response I got from the 1099 port:
��srjava.rmi.MarshalledObject|���c�>IhashlocBytest[BobjBytesq~xp4m�ur[B��T�xp*��thttp://server:8083/q~q~uq~ì�sr org.jnp.server.NamingServer_Stubxr�java.rmi.server.RemoteStub���ɋ�e�xrjava.rmi.server.RemoteObject�a��
a3xpw7
UnicastRef2
9f704f1eadebJh��DAx/p$q�uv�1�=�x^C
References:
There wasn't much information, but from what I can find, this JNDI service provides a connection stub for other services. It's a non-JRMP service, not an rmiregistry, and I'm not sure if it's even an interactive service, so unfortunately RMIScout won't be able to help you with this endpoint. I believe it's targeted at JMX remote management and that 18083
port above may be a more interesting service.
There is some guidance on connecting to/attacking JMX services here:
Best of luck! :)
(Closing the ticket, as this particular service returns a JNDI stub and is not an RMI service.)
Thanks for the insight Jake!
Hello,
I've identified a running RMI instance on a host, however when I try to run rmiscout against the host I recieve the following message:
Is there a way to bypass or ignore SSL errors when connecting? I tried re-running with --activation server which provided the same message.
The command I'm running is: