Skip to content
Remote Java classpath enumeration via deserialization
Java Python
Branch: master
Clone or download
Latest commit d6416ad Feb 10, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Add files via upload Feb 10, 2020
src/com/stefanbroeder/serially Add files via upload Feb 10, 2020
JavaClassDB.py Add files via upload Feb 10, 2020
README.md Update README.md Feb 10, 2020
getPopularJars.py Add files via upload Feb 10, 2020
pom.xml Add files via upload Feb 10, 2020

README.md

EnumJavaLibs

EnumJavaLibs: Remote Java classpath enumeration via deserialization.

Overview

EnumJavaLibs can be used to discover which libraries are loaded (i.e. available on the classpath) by a remote Java application when it supports deserialization.

-----------------
Serially - v1.1
by Stefan Broeder
-----------------
Usage:

EnumJavaLibs {MODE} [OPTIONS]

MODES:
base64                  Write base64 encoded serialized objects to CSV file in current directory
rmi {host} {port}       RMI mode. Connect to RMI endpoint and try deserialization.

OPTIONS:
-f {string}             Only serialize classes from packages which contain the given string (e.g. org.apache.commons)
-d                      Debug mode on

For more information about how to use the tool, please see this blog post.

Obtaining jar files

A local repository of jar files is required in ~/.serially/jars. You should run the JavaClassDB python3 script to index the jar files, before running EnumJavaLibs. One way to build a local repository is to download the most popular Java libraries from maven central. I provide a script getPopularJars.py that can be used as follows:

./getPopularJars.py 20 | while read x; do wget --quiet -P ~/.serially/jars $x; sleep 5; done

This command will scrape the 20 most popular jar files from mavenrepository.com.

Another way to bootstrap your local jar repository if you are using maven, is to copy the jar files you already have in the maven cache (~/.m2/repository)

RMI

To test RMI, I created a docker image you can fetch from [https://cloud.docker.com/repository/docker/summ1t/jmxrmi_vulnerable/general], which spins up a host listening to RMI on port 1617. It's running Java 8u40, which is vulnerable. It has library nanohttpd-2.2.0.jar loaded on the classpath to showcase that EnumJavaLibs is able to discover this library remotely (given that you prepared your local repository with this jar)

You can’t perform that action at this time.