rmiInfo is a tool to help extract information from Java Remote Method Invocation (RMI) services, which can then be used to find possible security vulnerabilities. The main aim being to identify the location of the RMI stub. If one is able to find the stub, then this is the first step in being able to construct java code to talk directly to the RMI service.
rmiInfo is able to not only extract information from RMI registries but also RMI services as well.
From a registry it is able to extract the following information:
- Name of attached services.
- Location of the service (IP address and port number).
- Name of the stub interface.
From an RMI service it is able to extract the following information:
- Location of remotely deployed code.
Thus if you combine the information for the service and the registry, you are able to determine the location and name of remotely deployed stubs.
Other features of rmiInfo:
- If it finds an RMI registry, it will recursively scan all the services identified.
- Platform independent (Java based).