Cassandra - Port 9042, 9160

Basic info

What is Apache Cassandra?

Apache Cassandra is a distributed NoSQL database that provides:

• Linear scalability - Add nodes without downtime

• High availability - No single point of failure

• Multi-datacenter replication - Geographic distribution

• Eventual consistency - Tunable consistency levels

• Column-family data model - Wide-row storage

• CQL (Cassandra Query Language) - SQL-like syntax

Use Cases

Real-World Deployments:

• Netflix - Streaming platform backend

• Apple - iCloud infrastructure

• Instagram - User data and feeds

• Uber - Trip data storage

• Discord - Chat message storage

• eBay - Product catalog

Common Applications:

• Time-series data (IoT sensors, logs)

• Real-time analytics

• Product catalogs

• Social media platforms

• Gaming leaderboards

• Financial transactions

Architecture Overview

Key Concepts:

Ring Topology:

• Nodes arranged in circular ring

• No master node (peer-to-peer)

• Data distributed via consistent hashing

Replication:

• Data replicated across multiple nodes

• Configurable replication factor (RF)

• Different strategies (SimpleStrategy, NetworkTopologyStrategy)

Consistency Levels:

• ONE - One replica responds

• QUORUM - Majority of replicas

• ALL - All replicas respond

• LOCAL_QUORUM - Majority in local DC

Data Model

Terminology:

• Keyspace - Similar to database/schema

• Column Family - Similar to table

• Partition Key - Determines data distribution

• Clustering Key - Determines sort order within partition

• Column - Name-value pair with timestamp

Default Ports

Port 9042 - Native Protocol (CQL)

• Binary protocol

• Used by modern clients

• CQL queries

• Cassandra 1.2+

Port 9160 - Thrift Protocol (Legacy)

• RPC protocol

• Deprecated but still found

• Older Cassandra versions

• Legacy applications

Additional Ports:

• 7000 - Inter-node communication (gossip)

• 7001 - SSL inter-node communication

• 7199 - JMX monitoring

• 8888 - OpsCenter (if installed)

• 9142 - Native protocol with SSL

Reconnaissance & Enumeration

Port Scanning

Basic Nmap Scan

Sample Output:

Service Fingerprinting

Using Nmap Scripts

Banner Grabbing

Version Detection via CQL

Shodan Queries

Authentication Testing

Check Authentication Requirements

Test Unauthenticated Access

Common Scenarios:

1. No authentication configured (default in many deployments)

2. Default credentials (cassandra/cassandra)

3. Weak passwords

4. Authentication enabled but misconfigured

Default Credentials

Standard Default Credentials:

Testing Default Credentials:

Brute Force Authentication

Using Hydra

Using Nmap

Custom Python Script

Exploitation & Enumeration

Connect to Cassandra

Using cqlsh (Primary Tool)

Using Python Driver

Cluster Information Enumeration

Basic Cluster Info

Node Information

System Information

Keyspace Enumeration

List All Keyspaces

Describe Keyspace

Keyspace Details

Table Enumeration

List Tables

Describe Table

Table Statistics

User & Role Enumeration

List All Users/Roles

Check Current User

Role Permissions

Data Exfiltration

Dump Sensitive Tables

Extract Password Hashes

Search for Sensitive Data

Export Data

Using cqlsh COPY Command

Using DESCRIBE to Export Schema

Automated Dump Script

Advanced Exploitation

CQL Injection

Vulnerable Code Example:

Exploitation:

Time-Based Blind Injection:

Prevention:

User Defined Functions (UDF) Exploitation

Concept: Cassandra supports UDFs in Java/JavaScript

Create Malicious UDF (Requires CREATE permission):

JavaScript UDF:

Limitations:

• Requires CREATE FUNCTION permission

• UDFs often disabled (enable_user_defined_functions: false)

• Sandboxed by default

• May require superuser privileges

JMX Exploitation (Port 7199)

If JMX Exposed (Common Misconfiguration):

JMX RCE (If Unauthenticated):

Post-Exploitation

Privilege Escalation

Create Superuser Account

Modify Existing User

Create Role for Persistence

Persistence Mechanisms

Backdoor User:

UDF Backdoor:

Data Modification for Persistence:

Lateral Movement

Extract Connection Information:

Harvest Credentials:

Network Topology Discovery:

Defense & Hardening

Enable Authentication

cassandra.yaml Configuration:

Set Strong Passwords:

Role-Based Access Control:

Network Security

Bind to Specific Interface:

Firewall Rules:

Enable SSL/TLS:

Disable Dangerous Features

Disable UDFs:

Secure JMX:

Disable Thrift (If Not Needed):

Monitoring & Detection

Enable Audit Logging:

Monitor Logs:

Intrusion Detection:

Connection Monitoring:

Regular Security Practices

Tools & Scripts

Essential Tools

1. cqlsh - Official CQL shell

2. nodetool - Cluster management utility

3. cassandra-driver - Python driver

4. DataStax DevCenter - GUI client (deprecated)

5. DBeaver - Universal database tool (supports Cassandra)

Python Enumeration Script

Cheat Sheet

Quick Reference

Important Files

Default Credentials

Key System Tables

Conclusion

Apache Cassandra, while designed for scalability and high availability, introduces significant security risks when deployed with default configurations or insufficient hardening. The combination of often-disabled authentication, powerful query capabilities, and cluster-wide access makes misconfigured Cassandra instances high-value targets.

Key Takeaways:

1. Enable authentication - Never run without PasswordAuthenticator

2. Change default credentials - cassandra:cassandra is widely known

3. Enable authorization - Use CassandraAuthorizer for RBAC

4. Network segmentation - Restrict access via firewall

5. Disable unnecessary features - UDFs, Thrift, unsecured JMX

6. Enable SSL/TLS - Encrypt client and inter-node communication

7. Monitor actively - Enable audit logging and IDS

8. Regular security audits - Review users, permissions, logs

9. Keep updated - Apply security patches promptly

10. Defense in depth - Multiple security layers

Attack Vectors:

• No authentication (common default)

• Default credentials

• Weak passwords

• Information disclosure (cluster topology)

• Data exfiltration (sensitive tables)

• UDF exploitation (if enabled)

• JMX exploitation (if exposed)

• Privilege escalation

• CQL injection (application-level)

Remember to only perform these techniques during authorized security assessments. Unauthorized access is illegal and unethical.

Additional Resources

• Apache Cassandra Documentation

• Cassandra Security Checklist

• DataStax Security Guide

• HackTricks Cassandra