Nmap Development mailing list archives

Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol)

From: jrf <jay.fink () gmail com>
Date: Fri, 12 Mar 2010 20:25:39 -0500

On Fri, Mar 12, 2010 at 06:38:59PM +0100, Michael Schierl wrote:

[Please Cc: me as I am not subscribed to the list. Thanks.]


done :-)

However, JDWP is quite picky about who it speaks to. The conversation
has to start with the magic string "JDWP-Handshake", or the socket is
closed immediately. In addition, if that string is not received within
the first two seconds, the port is also closed.


Sending a payload with the initial packet(s) might jumpstart handshaking.
What would be helpful is if you can run a tdcpdump on that host and
port and grok out some of the traffic. If you would like to we can go
offline and I can look at tracefiles to see if I can decode what the
payload should look like.

Currently, the null probe will timeout and report the port as
tcpwrapped, and my script is not even run. When reducing the timeout of
the null probe to 1 second for example, my probe will work (and detect
the jdwp version just fine), but of course this is not good for
detecting other protocols. I don't really know how I can tell nmap to
try this probe on ports that were previously closed (tcpwrpped) when
trying the null probe.


What I mentioned above might mitigate this.

Documentation for JDWP is available at
http://java.sun.com/j2se/1.5.0/docs/guide/jpda/jdwp-spec.html

The probe below sends a VirtualMachine_Version request, documented at
http://java.sun.com/j2se/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html#JDWP_VirtualMachine_Version


Thanks, I will look at these and below.


To try it, take any java program (which is run via the
normal java launcher) and add

-Xrunjdwp:transport=dt_socket,server=y,address=8000,suspend=n

as first parameter between the java binary and the other parameters
(class path, jar etc.) This will listen on port 8000 and not suspend the
VM (so the program will continue running fine as long as the debugger


Regards,
  j
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 12)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) jrf (Mar 12)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Brandon Enright (Mar 12)
  - Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 13)
  - Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 16)
    - Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Brandon Enright (Mar 16)
    - Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 16)
    - Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) David Fifield (Mar 16)
    - Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 17)
    - Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) David Fifield (Mar 17)