BaRMIe - Java RMI Enumeration Tool

BaRMIe is a tool for enumerating and attacking Java RMI (Remote Method Invocation) services. RMI services often expose dangerous func...

BaRMIe - Java RMI Enumeration And Attack Tool

BaRMIe is a tool for enumerating and attacking Java RMI (Remote Method Invocation) services.
RMI services often expose dangerous functionality without adequate security controls, however RMI services tend to pass under the radar during security assessments due to the lack of effective testing tools. In 2008 Adam Boulton spoke at AppSec USA (YouTube) and released some RMI attack tools which disappeared soon after, however even with those tools a successful zero-knowledge attack relies on a significant brute force attack (~64-bits/9 quintillion possibilities) being performed over the network.

The goal of BaRMIe is to enable security professionals to identify, attack, and secure insecure RMI services. Using partial RMI interfaces from existing software, BaRMIe can interact directly with those services without first brute forcing 64-bits over the network.


BaRMIe was written to aid security professionals in identifying insecure RMI services on systems which the user has prior permission to attack. Unauthorised access to computer systems is illegal and BaRMIe must be used in accordance with all relevant laws. Failure to do so could lead to you being prosecuted. The developers of BaRMIe assume no liability and are not responsible for any misuse or damage caused by this program.


Use of BaRMIe is straightforward. Run BaRMIe with no parameters for usage information.
[java -jar BaRMIe.jar]
 Enumeration mode (-enum) extracts details of objects that are exposed through an RMI registry service and lists any known attacks that affect the endpoint.

Attack mode (-attack) first enumerates the given targets, then provides a menu system for launching known attacks against RMI services.

A single target can be specified on the command line. Alternatively BaRMIe can extract targets from a simple text file or nmap output.

No Vulnerable Targets Identified?
Great! This is your opportunity to help improve BaRMIe! BaRMIe relies on some knowledge of the classes exposed over RMI so contributions will go a long way in improving BaRMIe and the security of RMI services.

If you have access to JAR files or source code for the target application then producing an attack is as simple as compiling code against the relevant JAR files. Retrieve the relevant remote object using the LocateRegistry and Registry classes and call the desired methods.

Alternatively look for remote methods that accept arbitrary objects or otherwise non-primitive parameters as these can be used to deliver deserialization payloads. More documentation on attacking RMI and producing attacks for BaRMIe will be made available in the near future.

Alternatively, get in touch, and provide as much detail as possible including BaRMIe -enum output and ideally the relevant JAR files.

Attack Types
BaRMIe is capable of performing three types of attacks against RMI services. A brief description of each follows. Further technical details will be published in the near future at https://nickbloor.co.uk/. In addition to this, I presented the results of my research at 44CON 2017 and the slides can be found here: BaRMIe - Poking Java's Back Door.

1. Attacking Insecure Methods
The first and most straightforward method of attacking insecure RMI services is to simply call insecure remote methods. Often dangerous functionality is exposed over RMI which can be triggered by simply retrieving the remote object reference and calling the dangerous method. The following code is an example of this:
[//Get a reference to the remote RMI registry service
Registry reg = LocateRegistry.getRegistry(targetHost, targetPort);
//Get a reference to the target RMI object
Foo bar = (Foo)reg.lookup(objectName);
//Call the remote executeCommand() method

2. Deserialization via Object-type Paraeters
Some RMI services do not expose dangerous functionality, or they implement security controls such as authentication and session management. If the RMI service exposes a method that accepts an arbitrary Object as a parameter then the method can be used as an entry point for deserialization attacks. Some examples of such methods can be seen below:
[public void setOption(String name, Object value);
public void addAll(List values);]
3. Deserialization via Illegal Method Invocation
Due to the use of serialization, and insecure handling of method parameters on the server, it is possible to use any method with non-primitive parameter types as an entry point for deserialization attacks. BaRMIe achieves this by using TCP proxies to modify method parameters at the network level, essentially triggering illegal method invocations. Some examples of vulnerable methods can be seen below:
[public void setName(String name);
public Long add(Integer i1, Integer i2);
public void sum(int[] values); ]
 The parameters to each of these methods can be replaced with a deserialization payload as the method invocation passes through a proxy. This attack is possible because Java does not attempt to verify that remote method parameters received over the network are compatible with the actual parameter types before deserializing them.

Important Notice

For Educational and Informational Purposes Only.

The information contained in our Website, Programs, and Services is for educational and informational purposes only and is made available to you as self-help tools for your own use. I am not responsible for any kind of damage hardware and software and not liable for any kind of unethical activity.

AEPD,1,Amazon,1,Amazon Web Service,1,Apple,2,Auditing,2,AWS,1,BaRMIe,1,Bitcoin,1,Books,1,Brup Suite Plugin,1,Bug Hunting,1,Burp Suite,1,Chrome,1,Cloudflare,1,Crackas With Attitude,1,CSRF,1,CVE,1,Cyber Attack,2,Cyber Crime,5,Cyber Espionage,1,Cyber Experts,2,cybercriminals,1,CyberScan,1,D-Link,1,Dark Web Market,1,Data Breach,2,Deep Web,1,DumpsterFire Toolset,1,EllaScanner,1,Elmedia Player,1,Eltima,1,Enumeration Tool,1,ESET,1,Exploit Pack,1,Exploiting,4,Facebook,1,Firewall,1,Github,1,Google,4,Google Play Security Reward Program,1,Google Play Store,1,GPS,1,HackerOne,1,Hackers,1,Information Gathering,1,Internet Privacy,1,Kali Linux,1,Linux,5,Mac,2,Mac OS X,2,Malware,1,Microsoft,1,NCA,1,News,10,OWASP,1,Pentesting,2,Pentesting Framework,2,Privilege Escalation,1,Proton,1,Python Keylogger,1,Reflector,1,Reptile,1,Rootkit,1,Scam,1,Scanner,2,Seccubus,1,Security,3,Smartwatch,1,Surveillance,1,Symantec,1,theHarvester,1,Tools,17,UK Government,1,US Intelligence,1,VHostScan,1,Vulnerability,4,WAF,1,Whole Foods Market Breached,1,Windows,4,XSS,1,ZAP,1,Zero-Day,1,
Exploitable — Cyber Security News & Hacking Tools: BaRMIe - Java RMI Enumeration Tool
BaRMIe - Java RMI Enumeration Tool
Exploitable — Cyber Security News & Hacking Tools
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy