RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running rmi-dumpregistry ) #jmxrmi bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network. java.lang.String getVersion() javax.management.remote.rmi.RMIConnection newClient(java.lang.Object arg) Java RMI Registry - Port 1616 nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616 BaRMIe #Download the package from releases https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 java -jar BaRMIe.jar -enum 192.168.1.11 5000 java -jar BaRMIe.jar -attack 192.168.1.11 5000 Remote Method Guesser https://github.com/qtc-de/remote-method-guesser java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum #Look for Vulnerabilities java -jar rmg.jar enum 10.10.10.10 5000 #Get bound names & available method
Way to Divergence