Offensive Tools

RMIScout: Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution.

RMIScout enables wordlist and bruteforce attacks against exposed Java RMI interfaces to safely guess method signatures without invocation. It supports multiple Java RMI protocols, method invocation, and exploitation.

About RMIScout

Features Overview

  • Automatically switches between RMI, RMI-SSL, Activation stubs.
  • Automatically performs localhost bypass techniques (e.g., registries bound to @127.0.0.1:XXXX, but still externally exposed via XXXX)
  • Multiple modes of operation
    • wordlist mode: Test for remote methods using a wordlist of signatures (see included lists/prototypes.txt)
    • bruteforce mode: Given a wordlist of method names generate signatures with various parameter types, # of params, and return types.
    • exploit mode: Use ysoserial to exploit remote methods with non-primitive parameters.
      • Requires rmiscout to be run with JRE 1.8 for ysoserial to work properly.
    • probe mode: Use GadgetProbe to identify classes in the remote classpath
    • invoke mode: Directly invoke remote methods by specifying a method signature and parameter values from the command line (primitives, arrays, and Strings only).
    • list mode: List available registries on remote server.
Bishop Fox Labs Security Researcher Jake Miller

Lead Researcher

Jake Miller

Jake Miller (OSCE, OSCP) is a Bishop Fox alumnus and former lead researcher. While at Bishop Fox, Jake was responsible for overseeing firm-wide research initiatives. He also produced award-winning research in addition to several popular hacking tools like RMIScout and GitGot.

Twitter: @theBumbleSec

GitHub: the-bumble

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.