Hi FD, I am glad to present this script: - PrommetrixI think that building a tool that quite facilitates the scraping work of the data presented by the Prometheus metrics, perhaps it is possible to make the team that develops it becomes aware of the existing need to protect them from their core.
23/01/2024: - Google (search engine): ~ 1832 servers with exposed metrics - Shodan ~ 7320 servers with exposed metrics ---------"Prommetrix is a free software tool to obtain relevant information from the instances of 'Node Exporter' executed by 'Prometheus'."
---------Prometheus is an open-source, metrics-based event monitoring and alerting solution for cloud applications. It is used by nearly 800 cloud-native organizations including Uber, Slack, Robinhood, and more. By scraping real-time metrics from various endpoints, Prometheus allows easy observation of a system’s state in addition to observation of hardware and software metrics such as memory usage, network usage and software-specific defined metrics (ex. number of failed login attempts to a web application).
https://prometheus.io/docs/guides/node-exporter/Since the numeric metrics captured by Prometheus are not considered sensitive data, Prometheus has held an understandable policy of avoiding built-in support for security features such as authentication and encryption, in order to focus on developing the monitoring-related features. This changed less than a year ago (Jan 2021), on the release of version 2.24.0 where Transport Layer Security (TLS) and basic authentication support were introduced.
Due to the fact that authentication and encryption support is relatively new, many organizations that use Prometheus haven’t yet enabled these features and thus many Prometheus endpoints are completely exposed to the Internet (e.g. endpoints that run earlier versions), leaking metric and label data.
--------- This vulnerabily can be described in a Pentest/Report like:PRM-01-001 Client: Clients leak Metrics data through unprotected endpoint (LOW)
"Metric data are to be collected for some services and these items need to implement a client-library that enables the core Prometheus service to scrape the data. The client- library opens a minimal HTTP server and exposes a route which is then registered with the core service for scraping. This endpoint is unauthenticated by default, which allows anybody who knows the URI to read the metric data. It is recommended to put some form of authentication in place. Only the core Prometheus service should be allowed to read the metric data."
---------Prommetrix - will take advantage of these metrics to obtain relevant information from the Prometheus instance, as well as, of the machine in which it is running.
--------- Dork (using default port): - inurl:":9100/metrics" --------- PoC:1- Let's take as example a random machine with Prometheus metrics exposed and using default port.
2- Execution: python3 prommetrix.py --target XXX.XXX.XXX.XXX 3- Output (note that results will be variable depending of the instance): [INFO] 'Prometheus' detected at: XXX.XXX.XXX.XXX <-> EXPOSING! - Metrics path: - URL: http://XXX.XXX.XXX.XXX:9100/metrics - 'Go' (environment): - Version: go1.21.4 - 'Node Export' (build): - Branch: HEAD - Version: go1.21.4 - CPUs (total): - 1 - SYSTEM: - Vendor: DigitalOcean - BIOS: - Date: 12/12/2017 - Release: 1.0 - Version: 20171212 - OS: - ID: ubuntu - ID Like: debian - Name: Ubuntu 22.04.3 LTS - Version codename: jammy - Version ID: 22.04 - UNAME: - Domainname: (none) - Machine: x86_64 - Nodename: prometheus-demo - Release: 5.15.0-89-generic - Sysname: Linux - Version: 99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 - TIMEZONE: - Location: UTC - SELINUX: - Status: OFF - Info of /sys/block/<block_device>: - vda - Info of node_filesystem_files: - /dev/vda1",fstype="ext4",mountpoint="/" - /dev/vda15",fstype="vfat",mountpoint="/boot/efi" - tmpfs",fstype="tmpfs",mountpoint="/run" - tmpfs",fstype="tmpfs",mountpoint="/run/lock" - NETWORK devices: - eth0 - lo [SNIPPED]4- You have enough interesting information to perform other new types of attack (ex: via CVE).
--------- Screenshoots (examples): - https://03c8.net/images/prommetrix_banner.png - https://03c8.net/images/prommetrix_poc.png - https://03c8.net/images/prommetrix_poc2.png --------- Code/Packages: * [source]: - https://code.03c8.net/epsylon/prommetrix * [mirror1]: - https://github.com/epsylon/prommetrix --------- Happy leaking!
Attachment:
OpenPGP_0xB3C1FD78B8AC3776.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/