Documentation ¶
Index ¶
Constants ¶
const KAFKA = "kafkaNew"
const KAFKATLS = "KafkaNewTLS"
Variables ¶
This section is empty.
Functions ¶
func Run ¶
func Run(conn net.Conn, tls bool, timeout time.Duration, target plugins.Target) (*plugins.Service, error)
Run Kafka scanner plugins.
Primary Sources:
- https://kafka.apache.org/protocol.html (Gold mine)
- https://kafka.apache.org/documentation.html
- https://kafka.apache.org/downloads
Methodology: Scanning for Kafka is a bit tricky, so I've outlined my methodology here. Kafka is harder to detect reliably for a few reasons:
- Kafka brokers may optionally require authentication via SASL before most commands can be issued.
- There are many different versions of Kafka, and most API calls work slightly different on each versions (especially for pre-0.9.0.X releases)
Fortunately, Kafka versions 0.10.0.0 and later support the ApiVersions request, which can be sent by an unauthenticated user to check which API requests are supported by the broker. Also versions prior to 0.9.0.0 do not offer any form of authentication. And, all versions of Kafka are compatible with any older client. This means that:
- If Kafka version 0.10.0.0 or higher is running, we can confirm with the ApiVersions request regardless of if authentication is required This includes any version of Kafka released since May, 2016.
- If Kafka version 0.8.0.X or earlier is running, we can confirm with a simple data query using API version 0.
- If Kafka version 0.9.0.X is running and does not require authentication, we can also confirm with a simple v0 data query.
I'm not sure if Kafka brokers running version 0.9.0.X that do require authentication will be detected by any of the above methods. It's possible that strategy 3 will still work in this situation, but I was not able to confirm due to the difficulty of setting up a testing environment for an older version.