mailing list archives
Re: Java RMI service finderprint?
From: Gabriel Lawrence <gabriel.lawrence () gmail com>
Date: Tue, 14 Jun 2011 08:22:02 -0700
So right. The standard RMI registry is going to be on 1099. And it sort of
makes sense there.
The interesting aspect, and one very useful, is that the JMX interfaces use
an arbitrary user assigned port for its listener. Turns out this listener is
just a special RMI Registry so connecting to it and dumping it using the
rmi-dumpregistry script turns out to be very useful. JMX can expose the
internal state of a service and allow for remote changes to that service.
Finding instances of this misconfigured listening to anything and willing to
talk unauthenticated or lamely authenticated is a valuable thing for someone
doing a security audit of a site.
I understand that the nmap team is looking at ways to scale scans
massively... I also get with service fingerprinting that sending lots of
strange junk at certain ports has unwanted results (see printers), but I
also think that the expectation of a user using service fingerprinting is
that nmap is trying everything reasonable against a service. Maybe this is
an opportunity to add a flag to ignore ports and try all service
fingerprints against a listener that didn't fingerprint in the original
pass? I'm trying to think of ways to balance the expectation an auditor
focusing on one site has vs the need to be able to scan an
entire organization in a reasonable timeframe...
BTW, Martin great script! Thanks for putting it together!
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/
Re: Java RMI service finderprint? Patrik Karlsson (Jun 14)