ZooKeeper
Default Ports: 2181 (Client), 2888/3888 (Cluster)
Apache ZooKeeper stores coordination data for distributed systems such as Kafka, Hadoop, Solr, and service discovery platforms. In pentests, open ZooKeeper can leak znodes, service metadata, configs, credentials, and cluster topology.
Connect
Using nc
ZooKeeper supports four-letter commands for quick checks.
echo ruok | nc target.com 2181
echo stat | nc target.com 2181
echo conf | nc target.com 2181
echo srvr | nc target.com 2181
Using zkCli
zkCli.sh is the standard interactive client.
zkCli.sh -server target.com:2181
ls /
get /zookeeper/config
Using zookeeper-shell
Kafka distributions often include zookeeper-shell.
zookeeper-shell target.com:2181
ls /
get /brokers/ids
Recon
Service Detection with Nmap
Scan client and quorum ports.
nmap -p 2181,2888,3888 -sV target.com
nmap -p 2181 --script zookeeper-info target.com
nmap -p 2181 --open -sV 10.0.0.0/24
Four-Letter Command Review
Four-letter commands reveal health, configuration, sessions, and server state.
for cmd in ruok stat conf srvr mntr envi; do echo $cmd | nc target.com 2181; done
Product Context
ZooKeeper often supports Kafka, Solr, Hadoop, or HBase.
echo dump | nc target.com 2181
echo cons | nc target.com 2181
Enumeration
Znode Enumeration
List znodes to map applications and service metadata.
zkCli.sh -server target.com:2181
ls /
ls /brokers
ls /config
Kafka Metadata
Kafka deployments store broker and topic metadata in ZooKeeper.
zookeeper-shell target.com:2181 ls /brokers/ids
zookeeper-shell target.com:2181 get /brokers/ids/0
zookeeper-shell target.com:2181 ls /brokers/topics
ACL Enumeration
Weak or open ACLs allow reading or modifying znodes.
zkCli.sh -server target.com:2181
getAcl /
getAcl /brokers
Config Enumeration
Config znodes may expose endpoints, credentials, or service names.
zkCli.sh -server target.com:2181
ls /config
get /config/application
Attack Vectors
Unauthenticated Access
Open client access may expose all znodes.
zkCli.sh -server target.com:2181
ls /
get /some/znode
Sensitive Znode Data
Search exported znode data for secrets.
grep -Ei 'password|secret|token|apikey|jdbc|ldap|kafka|broker' zookeeper-dump.txt
Znode Modification
Write access can disrupt dependent services.
zkCli.sh -server target.com:2181
create /pentest-test "authorized-test"
delete /pentest-test
Unsafe Four-Letter Commands
Some commands expose sessions and environment details.
echo envi | nc target.com 2181
echo cons | nc target.com 2181
echo dump | nc target.com 2181
Post-Exploitation
Cluster Mapping
Use ZooKeeper data to map brokers, services, and hosts.
echo conf | nc target.com 2181 > zookeeper-conf.txt
zookeeper-shell target.com:2181 ls /brokers/ids > kafka-brokers.txt
Secret Review
Review only exported metadata needed for proof.
grep -Ei 'password|secret|token|apikey|connection|jdbc|sasl' zookeeper-dump.txt
Evidence Collection
Collect health, config, ACL, and sample znode evidence.
echo stat | nc target.com 2181 > zookeeper-stat.txt
echo conf | nc target.com 2181 > zookeeper-conf.txt
Useful Tools
| Tool | Purpose |
|---|---|
nc | Four-letter commands |
zkCli.sh | Native client |
zookeeper-shell | Kafka ZooKeeper client |
nmap | Service detection |
grep | Secret review |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| Unauthenticated client access | Znode data disclosure |
| Weak ACLs | Znode modification |
| Four-letter commands exposed | Cluster metadata leakage |
| ZooKeeper reachable from user networks | Service discovery exposure |
| Secrets stored in znodes | Credential leakage |
| Quorum ports exposed broadly | Cluster attack surface |