Pentesting JDWP - Java Debug Wire Protocol
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Dobijte perspektivu hakera o vašim veb aplikacijama, mreži i oblaku
Pronađite i prijavite kritične, eksploatabilne ranjivosti sa stvarnim poslovnim uticajem. Koristite naših 20+ prilagođenih alata za mapiranje napadačke površine, pronalaženje bezbednosnih problema koji vam omogućavaju da eskalirate privilegije, i koristite automatizovane eksploate za prikupljanje suštinskih dokaza, pretvarajući vaš težak rad u uverljive izveštaje.
Eksploatacija JDWP-a se oslanja na nedostatak autentifikacije i enkripcije protokola. Obično se nalazi na portu 8000, ali su mogući i drugi portovi. Početna veza se uspostavlja slanjem "JDWP-Handshake" na ciljni port. Ako je JDWP servis aktivan, odgovara istim stringom, potvrđujući svoju prisutnost. Ova rukovanja deluju kao metoda otiska prsta za identifikaciju JDWP servisa na mreži.
U smislu identifikacije procesa, pretraga za stringom "jdwk" u Java procesima može ukazivati na aktivnu JDWP sesiju.
Osnovni alat je jdwp-shellifier. Možete ga koristiti sa različitim parametrima:
I found that the use of --break-on 'java.lang.String.indexOf'
makes the exploit more stabilan. And if you have the chance to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
This is a summary of https://ioactive.com/hacking-java-debug-wire-protocol-or-how/. Check it for further details.
JDWP Overview:
It's a packet-based network binary protocol, primarily synchronous.
Lacks authentication and encryption, making it vulnerable when exposed to hostile networks.
JDWP Handshake:
A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server).
JDWP Communication:
Messages have a simple structure with fields like Length, Id, Flag, and CommandSet.
CommandSet values range from 0x40 to 0x80, representing different actions and events.
Exploitation:
JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks.
The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods.
Real-Life Exploitation:
Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub.
The exploit script was tested against various JDK versions and is platform-independent, offering reliable Remote Code Execution (RCE).
Security Implications:
The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations.
http://www.secdev.org/projects/scapy(no longer active)
http://www.hsc-news.com/archives/2013/000109.html (no longer active)
https://github.com/search?q=-Xdebug+-Xrunjdwp&type=Code&ref=searchresults
Get a hacker's perspective on your web apps, network, and cloud
Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)