javax.net.ssl.SSLException: Unsupported or unrecognized SSL message

[b4cktr4ck2]

Hello,

I've identified a running RMI instance on a host, however when I try to run rmiscout against the host I recieve the following message:

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:315)
        at com.bishopfox.rmiscout.RMIScout.disableAccessWarnings(RMIScout.java:75)
        at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:170)
[INFO] No registry specified. Attempting operation on all available registries...
[ERROR] error during JRMP connection establishment; nested exception is: 
        javax.net.ssl.SSLException: Unsupported or unrecognized SSL message                                       
Might be RMI-IIOP (--iiop) or server might use non-standard protocol.     

Is there a way to bypass or ignore SSL errors when connecting? I tried re-running with --activation server which provided the same message.

The command I'm running is:

java -jar rmiscout-1.4-SNAPSHOT-all.jar wordlist -i prototypes.txt x.x.x.x rmi_port# 

[the-bumble]

Hey @b4cktr4ck2,

Happy to help out! Could you try running java -jar rmiscout-1.4-SNAPSHOT-all.jar list <IP> <PORT>? RMIScout automatically bypasses cert validation, but that error could occur if there is unrecognized protocol (e.g., non-RMI). As the error message indicated, it's possible the remote service uses IIOP (usually runs on port 1050). You will need to run RMIScout with JRE 8 to use the IIOP feature.

If the above command, doesn't help. Try nmap --script rmi-dumpregistry <IP> -p <PORT> -Pn, which is the nmap equivalent.

Let me know what you find!

Jake

[b4cktr4ck2]

Hey Jake- sure thing! I ran the command you recommended and got the following message from rmiscout:

Server is offline or does not use RMI, RMI-SSL, or RMI-IIOP.

What's interesting is that the nmap script doesn't return any data either- the only way I can get data from this port is from the "Fingerprint-Strings" script, which returns:

PORT      STATE SERVICE     REASON  VERSION
11099/tcp open  java-object syn-ack Java Object Serialization
| fingerprint-strings: 
|   NULL: 
|     java.rmi.MarshalledObject|
|     hash[
|     locBytest
|     objBytesq
|     %http://HOSTNAME.LOCAL:18083/q
|     org.jnp.server.NamingServer_Stub
|     java.rmi.server.RemoteStub
|     java.rmi.server.RemoteObject
|     xpwB
|     UnicastRef2

Additionally, I noticed that when attempting to curl the host on port 11099, I receive an error message stating something about an sslv3 invalid handshake...I know my OpenSSL version was built without SSLV3 support- is it possible that this is the issue? The server doesn't support TLSv1.0 or anything newer than SSLv3.

Cheers!

[the-bumble]

So, I did a little research. This appears to be a deprecated JBOSS JNDI service. I verified this via a local install of an older version of JBOSS (using https://hub.docker.com/r/paulosalgado/jboss5). This was the response I got from the 1099 port:

��srjava.rmi.MarshalledObject|���c�>IhashlocBytest[BobjBytesq~xp4m�ur[B��T�xp*��thttp://server:8083/q~q~uq~ì�sr org.jnp.server.NamingServer_Stubxr�java.rmi.server.RemoteStub���ɋ�e�xrjava.rmi.server.RemoteObject�a��
                 a3xpw7
  UnicastRef2
             9f704f1eadebJh��DAx/p$q�uv�1�=�x^C

References:

• https://developer.jboss.org/thread/30629
• https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/jboss-jboss-monitoring/jboss-troubleshooting.html
• https://tekslate.com/jndi-administration-jboss

There wasn't much information, but from what I can find, this JNDI service provides a connection stub for other services. It's a non-JRMP service, not an rmiregistry, and I'm not sure if it's even an interactive service, so unfortunately RMIScout won't be able to help you with this endpoint. I believe it's targeted at JMX remote management and that 18083 port above may be a more interesting service.

There is some guidance on connecting to/attacking JMX services here:

• https://developer.jboss.org/docs/DOC-17485
• https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/

Best of luck! :)

(Closing the ticket, as this particular service returns a JNDI stub and is not an RMI service.)

[b4cktr4ck2]

Thanks for the insight Jake!