ELK6.6.1-轻松破解elasticsearch x-pack插件
小生博客:http://xsboke.blog.51cto.com-------谢谢您的参考,如有疑问,欢迎交流 目录
[*]破解流程.
[*]使用docker启动elk.
[*]重新编译和生成文件:LicenseVerifier.class、XPackBuild.class.
[*]替换旧的x-pack-core-6.6.1.jar.
[*]修改elastcsearch.yml,然后重启elk,否则上传不了证书.
[*]申请、修改、上传证书.
[*]开启ES的登录功能.
[*]验证.
需求
shell 开启elk的认证功能.
环境
shell 使用docker运行的6.6.1版本的elk容器.
破解流程
shell
[*]重新编译并且替换x-pack-core-6.6.1.jar中的文件LicenseVerifier.class 和 XPackBuild.class.
[*]申请基础许可证书,修改内容成为白金许可证书.
[*]上传证书并且开启ES的登录功能.
使用docker启动elk
shell
版本使用的是6.6.1
docker run -d --name elk --restart=always -e "LANG=C.UTF-8" -p 5601:5601 -p 9200:9200 -p 9300:9300 -p 5044:5044 -it sebp/elk:661
重新编译和生成文件:LicenseVerifier.class、XPackBuild.class
下载x-pack-core-6.6.1.jar使用winrar打开,找到文件LicenseVerifier.class和XPackBuild.class
shell
/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar
[*]x-pack-core-6.6.1.jar\org\elasticsearch\license\LicenseVerifier.class
[*]x-pack-core-6.6.1.jar\org\elasticsearch\xpack\core\XPackBuild.class
下载luyten反编译软件,反编译两个文件,然后参考下方的两个文件去修改
shell 反编译软件下载地址:
https://github.com/deathmarine/Luyten/releases/tag/v0.5.4_Rebuilt_with_Latest_depenencies
java / LicenseVerifier.java /
package org.elasticsearch.license;
import java.nio.*;
import org.elasticsearch.common.bytes.;
import java.security.;
import java.util.*;
import org.elasticsearch.common.xcontent.;
import org.apache.lucene.util.;
import org.elasticsearch.core.internal.io.*;
import java.io.;
public class LicenseVerifier
{ public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
byte[] signedContent = null;
byte[] publicKeyFingerprint = null;
return true;
}
public static boolean verifyLicense(final License license) {
return true;
}}java / XPackBuild.java */
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.;
import java.net.;
import org.elasticsearch.common.*;
import java.nio.file.;
import java.io.;
import java.util.jar.*;
public class XPackBuild
{ public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(reason = "looks up path of xpack.jar directly")
static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try {
return PathUtils.get(url.toURI());
}
catch (URISyntaxException bogus) {
throw new RuntimeException(bogus);
}
}
XPackBuild(final String shortHash, final String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date() {
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0109: {
shortHash = "Unknown";
date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}}
将两个java文件重新打包成class文件
shell
javac -cp "/opt/elasticsearch/lib/elasticsearch-6.6.1.jar:/opt/elasticsearch/lib/elasticsearch-core-6.6.1.jar:/opt/elasticsearch/lib/lucene-core-7.6.0.jar:/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar" LicenseVerifier.java
javac -cp "/opt/elasticsearch/lib/elasticsearch-6.6.1.jar:/opt/elasticsearch/lib/elasticsearch-core-6.6.1.jar:/opt/elasticsearch/lib/lucene-core-7.6.0.jar:/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar" XPackBuild.java
将两个新的class文件放入到x-pack-core-6.6.1.jar中
shell
[*]x-pack-core-6.6.1.jar\org\elasticsearch\license\LicenseVerifier.class
[*]x-pack-core-6.6.1.jar\org\elasticsearch\xpack\core\XPackBuild.class
替换旧的x-pack-core-6.6.1.jar
shell
mv x-pack-core-6.6.1.jar /opt/elasticsearch/modules/x-pack-core/
修改elastcsearch.yml,然后重启elk,否则上传不了证书
shell
vim /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: false
docker restart elk
申请、修改、上传证书
shell
[*]申请证书
https://license.elastic.co/registration
[*]下载并且,修改证书,证书可以保留,通用
主要修改:
证书类型修改为"type":"platinum"
到期时间修改为"expiry_date_in_millis":2524579200999
cat license.json
{"license":{"uid":"......","type":"platinum","issue_date_in_millis":1625097600000,"expiry_date_in_millis":2524579200999,"max_nodes":100,"issued_to":"xxx xxx (xxx)","issuer":"Web Form","signature":"......","start_date_in_millis":1625097600000}}
[*]上传证书
访问:http://:5601/app/kibana#/management/elasticsearch/license_management/home.
点击:Upload license,然后将证书文件放入即可.
开启ES的登录功能
shell
[*]启动安全功能并且重启elk
vim /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
docker restart elk
[*]设置密码,根据提示输入Y,和密码,此例密码为:mA&m39jizV
/opt/elasticsearch/bin/elasticsearch-setup-passwords interactive
[*]修改kibana配置文件,添加认证选项
cat /opt/kibana/config/kibana.yml
i18n.locale: "zh-CN"
kibana.index: ".kibana"
elasticsearch.username: "elastic"
elasticsearch.password: "mA&m39jizV"
[*]修改logstash配置文件
cat /opt/logstash/config/logstash.yml
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: mA&m39jizV
[*]修改 02-beats-input.conf
cat /etc/logstash/conf.d/02-beats-input.conf
cat /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
ssl_key => "/etc/pki/tls/private/logstash-beats.key"
}
}
output{
elasticsearch {
hosts => ["localhost:9200"]
index => "ruizhi-log-%{+YYYY.MM.dd}"
user => "elastic"
password => "mA&m39jizV"
}
}
[*]修改 30-output.conf
cat /etc/logstash/conf.d/30-output.conf
output {
elasticsearch {
hosts => ["localhost"]
manage_template => false
index => "%{[@metadata]}-%{+YYYY.MM.dd}"
user => "elastic"
password => "mA&m39jizV"
}
}
[*]重启elk
docker restart elk
验证
shell
访问kibana,输入用户名:elastic,密码:mA&m39jizV,登陆成功,可以看到当前许可版本和过期时间.
页:
[1]