RMIScout enumerates and exploits Java RMI interfaces using wordlist and bruteforce techniques to identify and leverage remote method vulnerabilities safely.
RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities
Security professionals and penetration testers use RMIScout to discover exposed Java RMI methods and exploit parameter unmarshalling vulnerabilities for code execution or further attack surface analysis. It is particularly useful during red teaming engagements targeting Java applications with RMI services.
Full exploitation features require running RMIScout with JRE 1.8 due to ysoserial dependencies. The tool safely enumerates methods by triggering unmarshalling exceptions without invoking actual remote methods, minimizing risk of unintended side effects. Users should have appropriate authorization before scanning or exploiting RMI services.
Ensure Java Runtime Environment (JRE) 1.8 is installed (required for full functionality including ysoserial exploitation)
Clone the repository: git clone https://github.com/BishopFox/rmiscout.git
Navigate into the cloned directory: cd rmiscout
Run the tool using the included shell script: ./rmiscout.sh./rmiscout.sh wordlist -i lists/prototypes.txt <host> <port>
Enumerate remote methods on a target server using a wordlist of method prototypes.
./rmiscout.sh bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port>
Bruteforce method signatures by generating permutations of method names, return types, parameter types, and parameter counts.