Seamus  Quitzon

Seamus Quitzon

1603604700

Java RMI for pentesters: structure, recon and communication (non-JMX Registries).

The purpose of this article is to explain to you, what are RMI interfaces you might encounter during penetration testing of infrastructure. Since the whole topic I’d like to cover is a bit long, I’ve split it into two parts. In the following part, I’ll just briefly explain what RMI interfaces are, how to create one for testing purposes and also how to build a RMI Client manually to invoke remote methods. The attack part will be described in the second part of this post, which can be found here.

Also, these articles are about native RMI registries. There are also popular JMXRMI registries which are somewhat different. I am planning to release a separate article about JMX which will cover JMXRMI among other ways to interact with Java Management eXtension. So in short, what I’ll describe here is:

  • What are RMI Interfaces
  • How to build an RMI Interface from source (code included)
  • What information about an RMI Interface can be obtained using Nmap scan
  • How to build an RMI Client (and what you need to know to build one)
  • What are typical issues / stack traces when dealing with RMI’s and what might be its reason

What is Java RMI

Java RMI server is a virtual entity exposed over the network that allows other remote parties (clients) to execute methods on a system (technically a JVM running on that system) on which it is running. It’s nothing exceptional in the programming world — where similar concepts like Remote Procedure Call (RPC) are widely used.

Thus, by running an exposed RMI Server on a system, one can allow external actors to interact with it and possibly execute methods on the RMI Server. These methods should be defined within the Server implementation. Once they are called by a client, they will be executed on the Server and the return values will be returned to the client. Another interesting part is that native RMI (again, I am NOT talking about JMXRMI) does not support much of security apart from encrypting the connection using SSL. [1]

RMI interface’s architecture is presented below:

https://www.assignmentpoint.com/wp-content/uploads/2020/07/Remote-Method-Invocation.jpg

https://www.assignmentpoint.com/wp-content/uploads/2020/07/Remote-Method-Invocation.jpg

The names “stub” and “skeleton” might be confusing at the first sight, but it’s simply how the “client” and “server” part of the remote object is called.

Stub is a class that implements the remote interface and serves as a client-side placeholder for the remote object. On the other hand, Skeleton is a server-side entity that dispatches calls to the actual implementation of the remote object.

#cybersecurity #pentesting #hacking #java #rmi

What is GEEK

Buddha Community

Java RMI for pentesters: structure, recon and communication (non-JMX Registries).
Tyrique  Littel

Tyrique Littel

1600135200

How to Install OpenJDK 11 on CentOS 8

What is OpenJDK?

OpenJDk or Open Java Development Kit is a free, open-source framework of the Java Platform, Standard Edition (or Java SE). It contains the virtual machine, the Java Class Library, and the Java compiler. The difference between the Oracle OpenJDK and Oracle JDK is that OpenJDK is a source code reference point for the open-source model. Simultaneously, the Oracle JDK is a continuation or advanced model of the OpenJDK, which is not open source and requires a license to use.

In this article, we will be installing OpenJDK on Centos 8.

#tutorials #alternatives #centos #centos 8 #configuration #dnf #frameworks #java #java development kit #java ee #java environment variables #java framework #java jdk #java jre #java platform #java sdk #java se #jdk #jre #open java development kit #open source #openjdk #openjdk 11 #openjdk 8 #openjdk runtime environment

Seamus  Quitzon

Seamus Quitzon

1603604700

Java RMI for pentesters: structure, recon and communication (non-JMX Registries).

The purpose of this article is to explain to you, what are RMI interfaces you might encounter during penetration testing of infrastructure. Since the whole topic I’d like to cover is a bit long, I’ve split it into two parts. In the following part, I’ll just briefly explain what RMI interfaces are, how to create one for testing purposes and also how to build a RMI Client manually to invoke remote methods. The attack part will be described in the second part of this post, which can be found here.

Also, these articles are about native RMI registries. There are also popular JMXRMI registries which are somewhat different. I am planning to release a separate article about JMX which will cover JMXRMI among other ways to interact with Java Management eXtension. So in short, what I’ll describe here is:

  • What are RMI Interfaces
  • How to build an RMI Interface from source (code included)
  • What information about an RMI Interface can be obtained using Nmap scan
  • How to build an RMI Client (and what you need to know to build one)
  • What are typical issues / stack traces when dealing with RMI’s and what might be its reason

What is Java RMI

Java RMI server is a virtual entity exposed over the network that allows other remote parties (clients) to execute methods on a system (technically a JVM running on that system) on which it is running. It’s nothing exceptional in the programming world — where similar concepts like Remote Procedure Call (RPC) are widely used.

Thus, by running an exposed RMI Server on a system, one can allow external actors to interact with it and possibly execute methods on the RMI Server. These methods should be defined within the Server implementation. Once they are called by a client, they will be executed on the Server and the return values will be returned to the client. Another interesting part is that native RMI (again, I am NOT talking about JMXRMI) does not support much of security apart from encrypting the connection using SSL. [1]

RMI interface’s architecture is presented below:

https://www.assignmentpoint.com/wp-content/uploads/2020/07/Remote-Method-Invocation.jpg

https://www.assignmentpoint.com/wp-content/uploads/2020/07/Remote-Method-Invocation.jpg

The names “stub” and “skeleton” might be confusing at the first sight, but it’s simply how the “client” and “server” part of the remote object is called.

Stub is a class that implements the remote interface and serves as a client-side placeholder for the remote object. On the other hand, Skeleton is a server-side entity that dispatches calls to the actual implementation of the remote object.

#cybersecurity #pentesting #hacking #java #rmi

Samanta  Moore

Samanta Moore

1621103940

SKP's Algorithms and Data Structures

Continuing on the Quick Revision of Important Questions for My Interviews. These Are Good Puzzles or Questions Related to Data Structures.

My Article Series on Algorithms and Data Structures in a Sort of ‘Programming Language Agnostic Way’. Few of the Algorithms and Data Structures in C, Few in C++, and Others in Core Java. Assorted Collection for Learning, Revising, Revisiting, Quick Refresh, and a Quick Glance for Interviews. You May Even Include them Directly for Professional or Open Source Efforts. Have Included Explanation Only for Few of These! Hope these turn out to be Really Helpful as per the Author’s Intention.

Data Structure — Interview Questions

#java #core java #data structures #dijkstra #core java basics #data structure using java #algorithms and data structures #java code examples #linked list in java #circular linked list

Samanta  Moore

Samanta Moore

1620458875

Going Beyond Java 8: Local Variable Type Inference (var) - DZone Java

According to some surveys, such as JetBrains’s great survey, Java 8 is currently the most used version of Java, despite being a 2014 release.

What you are reading is one in a series of articles titled ‘Going beyond Java 8,’ inspired by the contents of my book, Java for Aliens. These articles will guide you step-by-step through the most important features introduced to the language, starting from version 9. The aim is to make you aware of how important it is to move forward from Java 8, explaining the enormous advantages that the latest versions of the language offer.

In this article, we will talk about the most important new feature introduced with Java 10. Officially called local variable type inference, this feature is better known as the **introduction of the word **var. Despite the complicated name, it is actually quite a simple feature to use. However, some observations need to be made before we can see the impact that the introduction of the word var has on other pre-existing characteristics.

#java #java 11 #java 10 #java 12 #var #java 14 #java 13 #java 15 #verbosity

Seamus  Quitzon

Seamus Quitzon

1603677480

Java RMI for pentesters part two — reconnaissance & attack against non

This is the second part of the “Java RMI for pentesters” article. The first part can be found here and you can learn from it what are Java RMI registries (I am mainly speaking about non-JMX ones) and how to interact with them.

In the current part we will talk about actual automated reconnaissance as well as attacks against them. The article will make use of RMI interface / server which was presented and thoroughly explained in the first part. Its source code can also be found on GitHub, here.

Reconaissance

A RMIRegistry server is started as per the part one of the article and nmap scan is run against it (in fact, scanning any RMI registry will give following results. Just in case you want to follow along, you can use the exemplary code from part one).

nmap -v -Pn -p 11099 -sV — script=+rmi-dumpregistry 127.0.0.1

Image for post

Let’s see how to use RMIScout tool against the above interface. RMIScout’s purpose is to guess methods that are available on the RMI Interface. Once it’s done, You can implement your own Interface and Client as per the part one, and try to execute these methods. However, note, that executing something blindly against an asset you do not own might have unpredictable side effects, including permanently damaging that asset. Before doing so, make sure that it’s owner is aware of potential risk (while methods like String getVersion() are rather safe, never invoke something like shutDown())

#hacking #java #rmi #deserialization #pentesting