Pentesting Kafka: Understanding Port 9092

Apache Kafka is a powerful open-source distributed event streaming platform, widely adopted for real-time data processing. In this post, we’ll walk through how to identify Kafka services running on port 9092, interact with them, and assess potential misconfigurations during a penetration test.

Default Port and Fingerprinting

Kafka typically listens on TCP port 9092. You can verify its presence using tools like nmap:

PORT     STATE SERVICE  VERSION  
9092/tcp open  kafka    Apache Kafka

A successful connection may reveal a banner such as:

[2023-11-23 00:00:00,000] INFO Kafka version: 2.8.0 (org.apache.kafka.common.utils.AppInfoParser)

Censys Fingerprints

Platforms like Censys can aid in fingerprinting Kafka services, offering banner information that reveals versions and configurations exposed on the internet.

Interacting with Kafka

Kafka offers several command-line tools for communication:

Console Producer

Publish messages to a topic:

kafka-console-producer.sh --broker-list <Kafka_Broker>:9092 --topic <Topic_Name>

Console Consumer

Read messages from a topic:

kafka-console-consumer.sh --bootstrap-server <Kafka_Broker>:9092 --topic <Topic_Name> --from-beginning

Authentication & Security

Kafka does not require authentication by default. However, it can be configured to use username/password-based mechanisms. Without proper auth, attackers can:

• Enumerate topics
• Send or consume messages
• Create or delete topics

Enumeration & Exploitation Examples

If anonymous access is allowed, the following actions become possible:

List Topics

kafka-topics --list --bootstrap-server <Kafka_Broker>:9092

Create New Topic

kafka-topics --create --topic <New_Topic_Name> --partitions 1 --replication-factor 1 --bootstrap-server <Kafka_Broker>:9092

Describe a Topic

kafka-topics --describe --topic <Topic_Name> --bootstrap-server <Kafka_Broker>:9092

Produce Messages

kafka-console-producer --topic <Topic_Name> --broker-list <Kafka_Broker>:9092

Consume Messages

kafka-console-consumer --topic <Topic_Name> --bootstrap-server <Kafka_Broker>:9092 --from-beginning

List Consumer Groups

kafka-consumer-groups --list --bootstrap-server <Kafka_Broker>:9092

Describe Consumer Group

kafka-consumer-groups --describe --group <Consumer_Group> --bootstrap-server <Kafka_Broker>:9092

Delete a Topic (Use with Caution)

kafka-topics --delete --topic <Topic_Name> --bootstrap-server <Kafka_Broker>:9092

Conclusion

Understanding how Kafka works and how to securely configure it is essential for maintaining a robust infrastructure. Misconfigured Kafka services can expose sensitive data streams or allow unauthorized manipulation of topics and messages. Always ensure authentication is enabled and access is tightly controlled.