Beanshooter doesn't handle exceptions when brute forcing

[JustinMoorcroft]

First of all, thank you so much for this tool!

I am getting an issue with the latest version when running the brute command. If it fails the first login attempt, it doesn't handle the exception and then continue to the next attempt. Here is some output:

java -jar beanshooter-3.0.0-rc.2-jar-with-dependencies.jar brute [IP] [PORT]

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Reading wordlists for the brute action.
[+]     Reading credentials from internal wordlist.
[+]
[+] Starting bruteforce attack with 10 credentials.
[+]
[-]     Caught unexpected SecurityException while connecting to the specified JMX service.
[-]     StackTrace:
java.lang.SecurityException: User [] from host null does not have administration access
        at com.sun.enterprise.container.common.GenericAdminAuthenticator.authenticate(GenericAdminAuthenticator.java:574)
        at org.glassfish.admin.mbeanserver.ConnectorStarter$1.authenticate(ConnectorStarter.java:124)
        at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:232)
        at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:199)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
        at sun.rmi.transport.Transport$1.run(Transport.java:200)
        at sun.rmi.transport.Transport$1.run(Transport.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
        at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
        at java.rmi/sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:303)
        at java.rmi/sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:279)
        at java.rmi/sun.rmi.server.UnicastRef.invoke(UnicastRef.java:164)
        at java.management.rmi/javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
        at java.management.rmi/javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2105)
        at java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:321)
        at java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:265)
        at de.qtc.beanshooter.plugin.providers.RMIProvider.getMBeanServerConnection(RMIProvider.java:66)
        at de.qtc.beanshooter.plugin.PluginSystem.getMBeanServerConnectionUmanaged(PluginSystem.java:205)
        at de.qtc.beanshooter.operation.EnumHelper.requriesLogin(EnumHelper.java:467)
        at de.qtc.beanshooter.operation.CredentialGuesser.startGuessing(CredentialGuesser.java:61)
        at de.qtc.beanshooter.operation.Dispatcher.brute(Dispatcher.java:279)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at de.qtc.beanshooter.operation.BeanshooterOperation.invoke(BeanshooterOperation.java:301)
        at de.qtc.beanshooter.Starter.main(Starter.java:22)
[-]     Cannot continue from here.

[qtc-de]

Hi Justin,

thanks for reporting and the overall feedback on beanshooter :heart:

The problem or idea behind this behavior was, that beanshooter only handles SecurityExceptions that are "well known". By "well known" I mean exceptions where it is known what was causing the exception (wrong credentials, wrong SASL mechanism, ...). The GenericAdminAuthenticator, that appears in your StackTrace, is non default and was therefore not included.

However, from your issue I noticed that this behavior is not optimal, as it is impossible for users to continue execution in such cases. I will think about an proper solution and resolve this is near future :)

[qtc-de]

Hi Justin,

the issue should be resolved on the develop branch. Can you give it a try and check whether it works? beanshooter should now ask whether it should continue during the brute action. It may even asks twice, but this is intended.

Here are some thoughts on the design decisions: The easiest way to resolve your issue would be to treat each uncommonSecurityException as an authentication related exception and to continue bruteforcing. However, in this case, we may miss some important details. E.g. the SecurityException could be raised because our IP address is not allowed to connect. Or it could be the case that the authentication actually worked, but the server expected an additional parameter within the initial JMX environment (like an domain or realm). In these cases, just continuing the bruteforce would make no sense. Therefore, the user is asked whether continuation is desired. The user can also display the stacktrace details within the confirmation prompt.

If the fix works, please keep the issue open. I will close it one merged to the main branch. If the fix does not work, please report the new error again :D

[qtc-de]

Closed by #16