Remote Method Guesser v3.3 releases: Java RMI enumeration and bruteforce of remote methods
Remote Method Guesser
- List available bound names and their corresponding interface class names
- List codebase locations (if exposed by the remote server)
- Check for known vulnerabilities (enabled class loader, missing JEP290, localhost bypass)
- Identify existing remote methods by using a bruteforce (wordlist) approach
- Call remote methods with ysoserial gadgets within the arguments
- Call remote methods with a client-specified codebase (remote class loading attack)
- Perform DGC and registry calls with ysoserial gadgets or a client-specified codebase
- Perform bind, unbind and rebind operations against a registry
- Extend ysoserial gadgets with An Trinhs registry bypass
- Enumerate the unmarshalling behavior of java.lang.String
- Create Java code dynamically to invoke remote methods manually
During remote method guessing, deserialization, and codebase attacks, the argument types of remote method calls are confused to prevent method invocation on the server-side. This technique is not unique to remote-method-guesser and was used first (to the best of my knowledge) by Jake Miller in the rmiscout project.
- Added the
--verboseoption. The output of rmg is now less verbose by default, but you can
get the full details by using this option.
- Added the
--guess-duplicateoption. rmg-v3.3.0 no longer guesses methods on identical
remote classes (only one instance will be used, the others are considered duplicates).
If you want to guess them anyway, you can use this option.
- Added documentation on method guessing
- Changed the underlying implementation of method guessing. The new implementation is
way faster an reduces the runtime of the
guessaction up to a factor of
The new implementation is described in more detail here: method guessing
- Changed the wordlist format slightly. The overall format stays the same, but the meaning
of one field was changed. Old wordlists (in optimized format) are no longer compatible.
- Changed option implementation. Options are now handled by an Enum. Although this makes only
a difference internally.
- Some small bug fixes
Copyright (C) 2019 qtc-de