评论

收藏

[Linux] ELK6.6.1-轻松破解elasticsearch x-pack插件

服务系统 服务系统 发布于:2021-07-01 14:26 | 阅读数:550 | 评论:0

  小生博客:http://xsboke.blog.51cto.com
-------谢谢您的参考,如有疑问,欢迎交流
  目录

  • 破解流程.
  • 使用docker启动elk.
  • 重新编译和生成文件:LicenseVerifier.class、XPackBuild.class.
  • 替换旧的x-pack-core-6.6.1.jar.
  • 修改elastcsearch.yml,然后重启elk,否则上传不了证书.
  • 申请、修改、上传证书.
  • 开启ES的登录功能.
  • 验证.

需求
shell  开启elk的认证功能.
环境
shell  使用docker运行的6.6.1版本的elk容器.
破解流程
shell[list=1]
[*]重新编译并且替换x-pack-core-6.6.1.jar中的文件LicenseVerifier.class 和 XPackBuild.class.
[*]申请基础许可证书,修改内容成为白金许可证书.
[*]上传证书并且开启ES的登录功能.
[/list]
使用docker启动elk
shell
[b]版本使用的是6.6.1[/b]
  docker run -d --name elk --restart=always -e "LANG=C.UTF-8" -p 5601:5601 -p 9200:9200 -p 9300:9300 -p 5044:5044 -it sebp/elk:661
重新编译和生成文件:LicenseVerifier.class、XPackBuild.class

下载x-pack-core-6.6.1.jar使用winrar打开,找到文件LicenseVerifier.class和XPackBuild.class
shell
[b]/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar[/b]
[list=1]
[*]x-pack-core-6.6.1.jar\org\elasticsearch\license\LicenseVerifier.class
[*]x-pack-core-6.6.1.jar\org\elasticsearch\xpack\core\XPackBuild.class
[/list]
下载luyten反编译软件,反编译两个文件,然后参考下方的两个文件去修改
shell  反编译软件下载地址:
  https://github.com/deathmarine/Luyten/releases/tag/v0.5.4_Rebuilt_with_Latest_depenencies
java  /[i] LicenseVerifier.java [/i]/
  package org.elasticsearch.license;
  import java.nio.*;
  import org.elasticsearch.common.bytes.[i];
  import java.security.[/i];
  import java.util.*;
  import org.elasticsearch.common.xcontent.[i];
  import org.apache.lucene.util.[/i];
  import org.elasticsearch.core.internal.io.*;
  import java.io.[i];
  public class LicenseVerifier
{  public static boolean verifyLicense(final License license, final byte[] publicKeyData) {

    byte[] signedContent = null;
    byte[] publicKeyFingerprint = null;
    return true;
  }
  
  public static boolean verifyLicense(final License license) {
    return true;
  }
}java  / XPackBuild.java */
  package org.elasticsearch.xpack.core;
  import org.elasticsearch.common.io.;
  import java.net.
;
  import org.elasticsearch.common.*;
  import java.nio.file.;
  import java.io.
;
  import java.util.jar.*;
  public class XPackBuild
{  public static final XPackBuild CURRENT;
  private String shortHash;
  private String date;
  @SuppressForbidden(reason = "looks up path of xpack.jar directly")
  static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
    try {
      return PathUtils.get(url.toURI());
    }
    catch (URISyntaxException bogus) {
      throw new RuntimeException(bogus);
    }
  }
  
  XPackBuild(final String shortHash, final String date) {
    this.shortHash = shortHash;
    this.date = date;
  }
  
  public String shortHash() {
    return this.shortHash;
  }
  
  public String date() {
    return this.date;
  }
  
  static {
    final Path path = getElasticsearchCodebase();
    String shortHash = null;
    String date = null;
    Label_0109: {
      shortHash = "Unknown";
      date = "Unknown";
    }
    CURRENT = new XPackBuild(shortHash, date);
  }
}
  
[b]将两个java文件重新打包成class文件[/b]
shell
javac -cp "/opt/elasticsearch/lib/elasticsearch-6.6.1.jar:/opt/elasticsearch/lib/elasticsearch-core-6.6.1.jar:/opt/elasticsearch/lib/lucene-core-7.6.0.jar:/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar" LicenseVerifier.java

javac -cp "/opt/elasticsearch/lib/elasticsearch-6.6.1.jar:/opt/elasticsearch/lib/elasticsearch-core-6.6.1.jar:/opt/elasticsearch/lib/lucene-core-7.6.0.jar:/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar" XPackBuild.java
  
[b]将两个新的class文件放入到x-pack-core-6.6.1.jar中[/b]
shell

  • x-pack-core-6.6.1.jar\org\elasticsearch\license\LicenseVerifier.class
  • x-pack-core-6.6.1.jar\org\elasticsearch\xpack\core\XPackBuild.class
  
[b]替换旧的x-pack-core-6.6.1.jar[/b]
shell
mv x-pack-core-6.6.1.jar /opt/elasticsearch/modules/x-pack-core/
  
[b]修改elastcsearch.yml,然后重启elk,否则上传不了证书[/b]
shell
vim /etc/elasticsearch/elasticsearch.yml

xpack.security.enabled: false
docker restart elk
  
[b]申请、修改、上传证书[/b]
shell

  • 申请证书
  https://license.elastic.co/registration

  • 下载并且,修改证书,证书可以保留,通用
  主要修改:
  证书类型修改为  "type":"platinum"
  到期时间修改为  "expiry_date_in_millis":2524579200999

cat license.json

  {"license":{"uid":"......","type":"platinum","issue_date_in_millis":1625097600000,"expiry_date_in_millis":2524579200999,"max_nodes":100,"issued_to":"xxx xxx (xxx)","issuer":"Web Form","signature":"......","start_date_in_millis":1625097600000}}

  • 上传证书
  访问:http://:5601/app/kibana#/management/elasticsearch/license_management/home.
  点击:Upload license,然后将证书文件放入即可.
  
[b]开启ES的登录功能[/b]
shell

  • 启动安全功能并且重启elk

vim /etc/elasticsearch/elasticsearch.yml

  xpack.security.enabled: true
  xpack.security.transport.ssl.enabled: true

docker restart elk


  • 设置密码,根据提示输入Y,和密码,此例密码为:mA&m39jizV

/opt/elasticsearch/bin/elasticsearch-setup-passwords interactive


  • 修改kibana配置文件,添加认证选项

cat /opt/kibana/config/kibana.yml

  i18n.locale: "zh-CN"
  kibana.index: ".kibana"
  elasticsearch.username: "elastic"
  elasticsearch.password: "mA&m39jizV"

  • 修改logstash配置文件

cat /opt/logstash/config/logstash.yml

  xpack.monitoring.elasticsearch.username: logstash_system
  xpack.monitoring.elasticsearch.password: mA&m39jizV

  • 修改 02-beats-input.conf

cat /etc/logstash/conf.d/02-beats-input.conf

  cat /etc/logstash/conf.d/02-beats-input.conf
  input {
  beats {
  port => 5044
  ssl => true
  ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
  ssl_key => "/etc/pki/tls/private/logstash-beats.key"
  }
  }
  output{
  elasticsearch {
  hosts => ["localhost:9200"]
  index => "ruizhi-log-%{+YYYY.MM.dd}"
  user => "elastic"
  password => "mA&m39jizV"
  }
  }

  • 修改 30-output.conf

cat /etc/logstash/conf.d/30-output.conf

  output {
  elasticsearch {
  hosts => ["localhost"]
  manage_template => false
  index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  user => "elastic"
  password => "mA&m39jizV"
  }
  }

  • 重启elk

docker restart elk
  
[b]验证[/b]
shell
访问kibana,输入用户名:elastic,密码:mA&m39jizV,登陆成功,可以看到当前许可版本和过期时间.


关注下面的标签,发现更多相似文章