documentation/modules/auxiliary/scanner/misc/java_jmx_server.md

The `java_jmx_scanner` module uses the `Msf::Exploit::Remote::Java::Rmi::Client` library to perform a handshake with a Java JMX MBean server.   JMX MBean listens in 1099 by default, and is used to manage and monitor Java applications.

The module returns whether the target is a Java JMX MBeans server and also outputs if the server requires authentication.

## Vulnerable Application

While many implementations of JMX are available, the module was successfully tested against an Apache ActiveMQ 5.13.3 server with JMX enabled.  For convenience, a docker container (`antonw/activemq-jmx`) supports JMX and can be tweaked to require authentication.

## Verification Steps

  See [PR#10401](https://github.com/rapid7/metasploit-framework/pull/10401) for general information, and [this specific comment](https://github.com/rapid7/metasploit-framework/pull/10401#issuecomment-448705897) for steps to require JMX authentication in the container.  In summary:
  
```
docker run -p 1099:1099 antonw/activemq-jmx 
docker exec -u=root -it `docker ps -q` /bin/bash

# echo -e "monitorRole QED\ncontrolRole R&D" /etc/java-7-openjdk/management/jmxremote.password
# chown activemq /etc/java-7-openjdk/management/jmxremote.password
# chmod 400 /etc/java-7-openjdk/management/jmxremote.password
# sed 's/-Dcom.sun.management.jmxremote.authenticate=false/-Dcom.sun.management.jmxremote.authenticate=true/' /opt/apache-activemq-5.13.3/bin/env

docker restart `docker ps -q`
```

## Options

  **Option name**

  Talk about what it does, and how to use it appropriately.  If the default value is likely to change, include the default value here.

## Scenarios

### ActiveMQ 5.13.3

Against the above-described Docker container, the workflow looks like:

```
msf5 auxiliary(scanner/misc/java_jmx_server) > set RHOST 127.0.0.1
msf5 auxiliary(scanner/misc/java_jmx_server) > set RPORT 1099
msf5 auxiliary(scanner/misc/java_jmx_server) > run
[*] Reloading module...

[*] 127.0.0.1:1099        - Sending RMI header...
[*] 127.0.0.1:1099        - localhost:1099 Java JMX MBean authentication required
[*] 127.0.0.1:1099        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

In addition, note that `services` within the data model has been updated:

```
msf5 auxiliary(scanner/misc/java_jmx_server) > services 
Services
========

host             port  proto  name      state  info
----             ----  -----  ----      -----  ----
127.0.0.1        1099  tcp    java-rmi  open   JMX MBean server accessible
```
java_jmx_scanner: Final draft of documentation 2018-12-19 13:08:16 -06:00			The `java_jmx_scanner` module uses the `Msf::Exploit::Remote::Java::Rmi::Client` library to perform a handshake with a Java JMX MBean server. JMX MBean listens in 1099 by default, and is used to manage and monitor Java applications.

			`The module returns whether the target is a Java JMX MBeans server and also outputs if the server requires authentication.`

			`## Vulnerable Application`

			While many implementations of JMX are available, the module was successfully tested against an Apache ActiveMQ 5.13.3 server with JMX enabled. For convenience, a docker container (`antonw/activemq-jmx`) supports JMX and can be tweaked to require authentication.

			`## Verification Steps`

			`See [PR#10401](https://github.com/rapid7/metasploit-framework/pull/10401) for general information, and [this specific comment](https://github.com/rapid7/metasploit-framework/pull/10401#issuecomment-448705897) for steps to require JMX authentication in the container. In summary:`

			```
			`docker run -p 1099:1099 antonw/activemq-jmx`
			docker exec -u=root -it `docker ps -q` /bin/bash

			`# echo -e "monitorRole QED\ncontrolRole R&D" /etc/java-7-openjdk/management/jmxremote.password`
			`# chown activemq /etc/java-7-openjdk/management/jmxremote.password`
			`# chmod 400 /etc/java-7-openjdk/management/jmxremote.password`
			`# sed 's/-Dcom.sun.management.jmxremote.authenticate=false/-Dcom.sun.management.jmxremote.authenticate=true/' /opt/apache-activemq-5.13.3/bin/env`

			docker restart `docker ps -q`
			```

			`## Options`

			`Option name`

			`Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.`

			`## Scenarios`

			`### ActiveMQ 5.13.3`

			`Against the above-described Docker container, the workflow looks like:`

			```
			`msf5 auxiliary(scanner/misc/java_jmx_server) > set RHOST 127.0.0.1`
			`msf5 auxiliary(scanner/misc/java_jmx_server) > set RPORT 1099`
			`msf5 auxiliary(scanner/misc/java_jmx_server) > run`
			`[*] Reloading module...`

			`[*] 127.0.0.1:1099 - Sending RMI header...`
			`[*] 127.0.0.1:1099 - localhost:1099 Java JMX MBean authentication required`
			`[*] 127.0.0.1:1099 - Scanned 1 of 1 hosts (100% complete)`
			`[*] Auxiliary module execution completed`
			```

			In addition, note that `services` within the data model has been updated:

			```
			`msf5 auxiliary(scanner/misc/java_jmx_server) > services`
			`Services`
			`========`

			`host port proto name state info`
			`---- ---- ----- ---- ----- ----`
			`127.0.0.1 1099 tcp java-rmi open JMX MBean server accessible`
			```