Morioh
Login
Seamus Quitzon

Seamus Quitzon

3 years ago

The purpose of this article is to explain to you, what are RMI interfaces you might encounter during penetration testing of infrastructure. Since the whole topic I’d like to cover is a bit long, I’ve split it into two parts. In the following part, I’ll just briefly explain what RMI interfaces are, how to create one for testing purposes and also how to build a RMI Client manually to invoke remote methods. The attack part will be described in the second part of this post, which can be found here.

Also, these articles are about native RMI registries. There are also popular JMXRMI registries which are somewhat different. I am planning to release a separate article about JMX which will cover JMXRMI among other ways to interact with Java Management eXtension. So in short, what I’ll describe here is:

  • What are RMI Interfaces
  • How to build an RMI Interface from source (code included)
  • What information about an RMI Interface can be obtained using Nmap scan
  • How to build an RMI Client (and what you need to know to build one)
  • What are typical issues / stack traces when dealing with RMI’s and what might be its reason

What is Java RMI

Java RMI server is a virtual entity exposed over the network that allows other remote parties (clients) to execute methods on a system (technically a JVM running on that system) on which it is running. It’s nothing exceptional in the programming world — where similar concepts like Remote Procedure Call (RPC) are widely used.

Thus, by running an exposed RMI Server on a system, one can allow external actors to interact with it and possibly execute methods on the RMI Server. These methods should be defined within the Server implementation. Once they are called by a client, they will be executed on the Server and the return values will be returned to the client. Another interesting part is that native RMI (again, I am NOT talking about JMXRMI) does not support much of security apart from encrypting the connection using SSL. [1]

RMI interface’s architecture is presented below:

https://www.assignmentpoint.com/wp-content/uploads/2020/07/Remote-Method-Invocation.jpg

https://www.assignmentpoint.com/wp-content/uploads/2020/07/Remote-Method-Invocation.jpg

The names “stub” and “skeleton” might be confusing at the first sight, but it’s simply how the “client” and “server” part of the remote object is called.

Stub is a class that implements the remote interface and serves as a client-side placeholder for the remote object. On the other hand, Skeleton is a server-side entity that dispatches calls to the actual implementation of the remote object.

#cybersecurity #pentesting #hacking #java #rmi

Java RMI for pentesters: structure, recon and communication (non-JMX Registries).

itnext.io

Java RMI for pentesters: structure, recon and communication (non-JMX Registries).

Java RMI server is a virtual entity exposed over the network that allows other remote parties (clients) to execute methods on a system (technically a JVM running on that system) on which it is running. It’s nothing exceptional in the programming world — where similar concepts like Remote Procedure Call (RPC) are widely used.

1.95 GEEK