Java Remoting: Sign Me Up!

This is a pretty exciting week for advancing the state of the art of penetration testing with Metasploit, thanks in large part to Juan Vazquez's work on the new protocol-level support for Java Remote Method Invocation (RMI). If you've never heard of it before, it's probably because, like me, you haven't done much (or any) Java programming since school. Java RMI is essentially a network-exposed API, usually listening on 1617/TCP, and, as it turns out, often enabled by accident due to some misconceptions around the native security offered. While Oracle's documentation (and other sources) suggest using an SSL or SSH tunneling mechanism to secure RMI, it looks like there are more than a few implementations where there was some... confusion... regarding the difference between a merely encoded protocol, and an encrypted protocol.

Keeping up on this kind of application protocol research is pretty crucial in exposing new (to you) sources of weakness and avenues of attack in an enterprise network. After all, there are only so many CSRFs and XSSes you can report on before the client starts getting a little glassy-eyed and wondering if there's anything else to worry about in the network under test.

You can read up on Juan's working notes on the original pull request, PR4560, but if you're really serious about learning up on using this stuff on your next engagement, you should register at InfoSec Southwest, coming up in April here in Austin -- Juan will be discussing all this at length in his talk, Reviewing and Abusing Java Remote Interfaces (Server-side Attacks). It's a gripper, and you'll be better prepared to tackle it when it pops up on your next port scan.

New Modules

Since last week's blog post, we have 4 new exploits and 4 new auxiliary modules, including not only the Java RMI, but a pair of modules targeting Google's Chromecast and Amazon's Fire TV devices. That William Vu guy just seems pretty obsessed with forcing you to watch what he wants to watch if you're glued to a networked TV screen. At least he's not eavesdropping on your private conversations (yet). We also have some bruteforcing modules for Splunk, Zabbix, and Chef, three popular operations suites for managing loads of data, servers, and configurations, from the reclusive and possibly mythical Metasploit Jedi HD Moore.

Exploit modules

Auxiliary and post modules

Also be sure to check out what's included in this week's binary release of Metasploit Pro, Express, and Community over at Thao's most excellent release notes.