Nmap Development mailing list archives
Re: Java RMI service finderprint?
From: Gabriel Lawrence <gabriel.lawrence () gmail com>
Date: Tue, 13 Sep 2011 17:01:42 -0700
Hey guys, I've made some changes to this that make it work in more situations and make it cleaner when anonymous access is on. The older version would succeed for everything in your brute force dictionary when anonymous was on... making for some really big result sets. Doh. This tar includes a modified rmi.lua, modified rmi-dumpregistry.nse and a new rmi-jmx.nse. Let me know what you think. gabe On Thu, Jun 30, 2011 at 10:28 AM, Gabriel Lawrence < gabriel.lawrence () gmail com> wrote:
Martin, I'm illogical ;-) I've got a modified rmi.lua and rmi-jmx.nse that will bruteforce JMX logins. I've attached at tar file of the three scripts for you to take a look at. I need to do some cleanup and commenting still, but it works for me. Let me know what you think. I'd like to submit this back to nmap, but with the the changes i made to ssl-enum-ciphers getting totally ignored i'm not sure the best way to make sure that this effort gets used. Hopefully, if you support this it will be easy to get it in. To get this to work, i had to modify the rmi.lua library a bit. It had some specific stuff that was only accurate for the RMI Registry calls that it was doing, so I cleaned that up and I added a few more argument types to support the login. It first tries to login anonymously, then it uses the brute library to brute-force its way through things. Assuming you think this looks reasonable, i'll clean it up a bit and add some comments and send it to the list. Below is output: glawrenc@glawrenc-linux:/usr/local/share/nmap$ nmap -sV -p9999 -script=rmi-jmx localhost Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-06-30 10:24 PDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000097s latency). PORT STATE SERVICE VERSION 9999/tcp open rmi Java RMI Registry | rmi-jmx: | JMX Version: 1.0 java_runtime_1.6.0_20-b20 | Anonymous access denied. | guest:gt access to JMX Service | Beans | Catalina:type=Loader,context=/AppletProxy,host=localhost-ssl | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=foo/bar/name2 | Catalina:type=WebappClassLoader,context=/,host=localhost | Catalina:type=Valve,context=/SessionTest2,host=localhost,name=NonLoginAuthenticator | Catalina:j2eeType=Servlet,name=stock,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,context=/AppletProxy,host=localhost,name=StandardContextValve | Catalina:j2eeType=Servlet,name=HelloWorldExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestParamExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | java.lang:type=MemoryPool,name=Code Cache | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Resource,resourcetype=Global,class=org.apache.catalina.UserDatabase,name="UserDatabase" | Catalina:j2eeType=Servlet,name=async3,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async1,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async2,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async0,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost-ssl,context=/AppletProxy | Catalina:type=Valve,context=/SessionTest2,host=localhost-ssl,name=NonLoginAuthenticator | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=WebModule,name=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestHeaderExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=NamingResources | java.lang:type=MemoryPool,name=PS Eden Space | java.lang:type=Memory | Catalina:type=Manager,context=/SessionTest2,host=localhost-ssl | Catalina:type=Realm,realmPath=/realm0 | Catalina:type=MBeanFactory | Catalina:type=ThreadPool,name="http-apr-8443" | Catalina:j2eeType=Servlet,name=RequestHeaderExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/AppletProxy,host=localhost | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=servletToJsp,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/examples,host=localhost-ssl | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=foo/name1 | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=NamingResources,context=/,host=localhost-ssl | Catalina:type=WebappClassLoader,context=/AppletProxy,host=localhost-ssl | Catalina:type=Valve,context=/,host=localhost,name=StandardContextValve | Catalina:j2eeType=Servlet,name=CookieExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=NamingResources,context=/examples,host=localhost | Catalina:type=Manager,context=/examples,host=localhost | Catalina:type=Cache,host=localhost,context=/examples | Catalina:type=Valve,context=/examples,host=localhost-ssl,name=FormAuthenticator | Catalina:j2eeType=WebModule,name=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=WebModule,name=//localhost/,J2EEApplication=none,J2EEServer=none | java.lang:type=MemoryPool,name=PS Survivor Space | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost-ssl,context=/ | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | java.lang:type=Compilation | Catalina:j2eeType=WebModule,name=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=minExemptions | Catalina:type=Loader,context=/SessionTest2,host=localhost | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=Set Character Encoding,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=foo/name4 | java.lang:type=Runtime | Catalina:type=WebappClassLoader,context=/SessionTest2,host=localhost | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Manager,context=/examples,host=localhost-ssl | Catalina:j2eeType=Servlet,name=stock,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=WebappClassLoader,context=/,host=localhost-ssl | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Manager,context=/AppletProxy,host=localhost | Catalina:type=NamingResources,context=/,host=localhost | Users:type=UserDatabase,database=UserDatabase | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=minExemptions | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=foo/bar/name2 | Catalina:j2eeType=Servlet,name=ChatServlet,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=ProtocolHandler,port=8080 | Catalina:j2eeType=Filter,name=Timing filter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=com.qualcomm.itsecurity.appletproxy.AppletProxyServlet,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestInfoExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=ProtocolHandler,port=8443 | Catalina:type=Cache,host=localhost-ssl,context=/examples | Catalina:j2eeType=Filter,name=Request Dumper Filter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | java.util.logging:type=Logging | Catalina:type=Realm,realmPath=/realm0/realm0 | Catalina:type=Valve,name=StandardEngineValve | Catalina:type=Valve,context=/SessionTest2,host=localhost,name=StandardContextValve | Catalina:type=NamingResources,context=/examples,host=localhost-ssl | Catalina:type=NamingResources,context=/SessionTest2,host=localhost-ssl | com.sun.management:type=HotSpotDiagnostic | java.lang:type=GarbageCollector,name=PS Scavenge | Catalina:type=Mapper,port=8443 | Catalina:type=ThreadPool,name="ajp-apr-8009" | Catalina:type=Cache,host=localhost,context=/AppletProxy | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Deployer,host=localhost-ssl | Catalina:type=GlobalRequestProcessor,name="ajp-apr-8009" | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=foo/name4 | Catalina:type=Valve,host=localhost,name=AccessLogValve | Catalina:type=Manager,context=/,host=localhost-ssl | Catalina:j2eeType=Servlet,name=SessionExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost,context=/ | Catalina:j2eeType=Servlet,name=CompressionFilterTestServlet,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Connector,port=8443 | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Host,host=localhost | Catalina:type=Valve,host=localhost-ssl,name=ErrorReportValve | Catalina:type=Mapper,port=8009 | java.lang:type=MemoryPool,name=PS Perm Gen | Catalina:type=Valve,context=/examples,host=localhost,name=FormAuthenticator | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Connector,port=8009 | Catalina:type=GlobalRequestProcessor,name="http-apr-8080" | Catalina:type=NamingResources,context=/AppletProxy,host=localhost-ssl | java.lang:type=MemoryPool,name=PS Old Gen | Catalina:j2eeType=Servlet,name=async0,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async1,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=async2,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | java.lang:type=GarbageCollector,name=PS MarkSweep | Catalina:j2eeType=Servlet,name=async3,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=Compression Filter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=Request Dumper Filter,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Mapper,port=8080 | Catalina:j2eeType=Servlet,name=com.qualcomm.itsecurity.appletproxy.AppletProxyServlet,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestInfoExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,context=/SessionTest2,host=localhost-ssl,name=StandardContextValve | Catalina:type=ServerClassLoader,name=common | Catalina:j2eeType=Filter,name=Timing filter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/,host=localhost | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost-ssl/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=SessionExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=CookieExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Loader,context=/examples,host=localhost | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=name3 | java.lang:type=ClassLoading | Catalina:j2eeType=WebModule,name=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Deployer,host=localhost | java.lang:type=Threading | Catalina:type=Valve,context=/examples,host=localhost,name=StandardContextValve | Catalina:type=Server | Catalina:j2eeType=Servlet,name=CompressionFilterTestServlet,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost,name=name3 | Catalina:type=ThreadPool,name="http-apr-8080" | Catalina:type=Valve,host=localhost-ssl,name=StandardHostValve | Catalina:type=GlobalRequestProcessor,name="http-apr-8443" | Catalina:j2eeType=Filter,name=Compression Filter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,host=localhost-ssl,name=AccessLogValve | Catalina:type=Loader,context=/SessionTest2,host=localhost-ssl | Catalina:type=Engine | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Manager,context=/,host=localhost | java.lang:type=MemoryManager,name=CodeCacheManager | Catalina:type=Valve,context=/AppletProxy,host=localhost,name=NonLoginAuthenticator | Catalina:j2eeType=Servlet,name=ChatServlet,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Host,host=localhost-ssl | Catalina:type=NamingResources,context=/SessionTest2,host=localhost | Catalina:j2eeType=Servlet,name=HelloWorldExample,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=WebModule,name=//localhost/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:type=Valve,host=localhost,name=ErrorReportValve | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=jsp,WebModule=//localhost/,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=servletToJsp,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=WebappClassLoader,context=/AppletProxy,host=localhost | Catalina:j2eeType=Servlet,name=default,WebModule=//localhost-ssl/examples,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Environment,resourcetype=Context,context=/examples,host=localhost-ssl,name=foo/name1 | Catalina:type=Loader,context=/,host=localhost-ssl | Catalina:type=Valve,context=/examples,host=localhost-ssl,name=StandardContextValve | Catalina:j2eeType=WebModule,name=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost-ssl,context=/SessionTest2 | Catalina:type=WebappClassLoader,context=/SessionTest2,host=localhost-ssl | Catalina:type=Manager,context=/AppletProxy,host=localhost-ssl | Catalina:type=WebappClassLoader,context=/examples,host=localhost-ssl | Catalina:type=Valve,host=localhost,name=StandardHostValve | Catalina:type=Valve,context=/,host=localhost-ssl,name=StandardContextValve | Catalina:type=WebappClassLoader,context=/examples,host=localhost | Catalina:type=Valve,context=/AppletProxy,host=localhost-ssl,name=StandardContextValve | Catalina:type=JspMonitor,name=jsp,WebModule=//localhost-ssl/,J2EEApplication=none,J2EEServer=none | java.lang:type=OperatingSystem | Catalina:type=Valve,context=/AppletProxy,host=localhost-ssl,name=NonLoginAuthenticator | Catalina:type=StringCache | Catalina:type=Service | Catalina:j2eeType=Filter,name=Set Character Encoding,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none | Catalina:type=Cache,host=localhost,context=/SessionTest2 | Catalina:type=Manager,context=/SessionTest2,host=localhost | Catalina:type=NamingResources,context=/AppletProxy,host=localhost | Catalina:type=ProtocolHandler,port=8009 | Catalina:j2eeType=Filter,name=HeaderFilter,WebModule=//localhost/SessionTest2,J2EEApplication=none,J2EEServer=none | Catalina:type=Connector,port=8080 | Catalina:j2eeType=WebModule,name=//localhost-ssl/AppletProxy,J2EEApplication=none,J2EEServer=none | Catalina:j2eeType=Servlet,name=RequestParamExample,WebModule=//localhost/examples,J2EEApplication=none,J2EEServer=none |_ JMImplementation:type=MBeanServerDelegate Cheers, gabe On Tue, Jun 14, 2011 at 10:37 AM, Martin Holst Swende <martin () swende se>wrote:The 'next step', which I started at, would be to write an authentication-script for the jmx-connector, and use the bruteforce library to perform credentials guessing against the jmx service. I abandoned it for other things (as I recall it, authentication is a multistep process where the return values of the first call must be handled correctly - which was not trivial. Writing a bruteforcer based on java seemed much more logical, so I kind of let it go) - but I may make another effort, it would be pretty cool to have around.
Attachment:
rmistuff.tar
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Java RMI service finderprint? Gabriel Lawrence (Sep 13)
- Re: Java RMI service finderprint? Martin Holst Swende (Sep 13)