What’s in an IOR? (or how not to waste 30 minutes)

Imported from my old blog at matterpreter.com

I’m really only writing this to save someone some time on an engagement and since there’s nothing detailed on the topic out there.

Today I was working and came across TCP port 8192, which I’ve seen a million times, and decided to poke it a little bit. This port, as well as 8193 and 8194, are known to be associated with Sophos so I figured it might be at least a little bit of information disclosure.

According to Sophos, “Port 8192 (TCP) is used to provide the connecting client (message router) with information on how to find connect to the SSL port for future communication. Port 8192 (TCP) hosts an Interoperable Object Reference (IOR), which encodes within it the port and address for the client to connect back to.”

When you connect to the port, it responds back with the string IOR:<hex> - not particularly useful. By standard, the IOR (Interoperable Object Reference) is a reference string that uniquely identifies an object on a remote RMI-IIOP (Java Remote Method Invocation interface over the Internet Inter-Orb Protocol) server. The hex is big endian, little endian, or serialized binary data.

Just for the hell of it, I set out trying to decode the string but there is very little information about how to do it without downloading some massive piece of Java software so I figured I’d look through Ubuntu packages to see if there was way to do it.

There are a few tools that can do the parsing, but they are all dead and not officially supported by any operating system I had available to me due to outdated dependencies. I decided to use the legacy tao-utils Ubuntu package, fixed the missing dependencies, and came up with this crappy shell script to do the job:

Now that the tao-catior tool works, just put the IOR string into a file and run tao-catior -f <iorFile>, which should return something similar to this:

So as you can see, a bit of marginally useful info about the target (hostname and alternate ports) and that’s about it. As I mentioned, I really just want to help other guys not waste their time poking this thing and put something a little more detailed that Sophos’ KB article out there. It looks interesting at face value but is kind of lame once you dig in.

Originally published at https://matterpreter.com on September 27, 2018.

I like security, picking up heavy things, and burritos. Adversary Simulation @ SpecterOps. github.com/matterpreter

I like security, picking up heavy things, and burritos. Adversary Simulation @ SpecterOps. github.com/matterpreter