Tuesday, November 5, 2013

JBoss JMX Console Hash Grabbin

I came across a little trick that may come in handy on a pen test if you find a Windows server vulnerable to the "exposed jmx-console vulnerability."  There are Metasploit modules for this, but I try to avoid them because the payloads get popped by AV on Windows systems. Normally I can just use one of the many available WAR shells instead to get a shell on the box. However, in this situation I couldn't get any of my WARs up to the target system because the deployer didn't appear to be configured or wasn't working correctly.

Instead, I added a UNC path to a fake share on my system, and the system graciously handed me the hash from the account that JBoss was configured to run as.

First, make sure you have access to the jmx-console:

Next find "jboss.deployment:"

On this page, find the "void addURL()" and add the UNC path to your system running the SMB server. My preference for SMB capture is just to use but you could also use the Metasploit SMB Capture module as well. Just make sure to have that running before you hit the "Invoke" button.

When you click "Invoke" you should see this message:

 If it works, you should immediately see your hash come across in your fake SMB server:

There you go! A fresh hash for your cracking pleasure. 

No comments: