ElasticSearch7.3破解

破解ES7.3.0到白金版(學習交流使用)

正常安裝ELK7.3版本到服務器上

正常部署ELK7到服務器上，先不要啟動。然后開始進行破解操作

進行破解操作

需要破解的文件：modules/x-pack-core/x-pack-core-7.3.0.jar

用來反編譯jar的工具：IDEA或者Luyten

x-pack從6.0開始，已經內置在了Elasticsearch中，只需要配置開啟就可以使用(30天的試用期)

如果Mac使用Luyten，則需要安裝JDK8版本 其他版本可能會導致打不開

需要修改x-pack的相關源碼的文件

x-pack的lisence的校驗主要是這兩個文件

1. 驗證licence是否有效：org.elasticsearch.license.LicenseVerifier
2. 驗證jar包是否被修改：org.elasticsearch.xpack.core.XPackBuild

先用Luyten打開jar包，找到這兩個文件LicenseVerifier.class和XPackBuild.class，另存為后綴改成.java(LicenseVerifier.java和XPackBuild.java)

修改LicenseVerifier.java

直接修改兩個靜態方法，返回true

package org.elasticsearch.license;

import java.nio.*;
import org.elasticsearch.common.bytes.*;
import java.security.*;
import java.util.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.core.internal.io.*;
import java.io.*;

public class LicenseVerifier
{
    public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
        return true;
    }
    
    public static boolean verifyLicense(final License license) {
        return true;
    }
}

修改XPackBuild.java

最后一個靜態代碼塊中 try的部分全部刪除

package org.elasticsearch.xpack.core;

import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;

public class XPackBuild
{
    public static final XPackBuild CURRENT;
    private String shortHash;
    private String date;
    
    @SuppressForbidden(reason = "looks up path of xpack.jar directly")
    static Path getElasticsearchCodebase() {
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try {
            return PathUtils.get(url.toURI());
        }
        catch (URISyntaxException bogus) {
            throw new RuntimeException(bogus);
        }
    }
    
    XPackBuild(final String shortHash, final String date) {
        this.shortHash = shortHash;
        this.date = date;
    }
    
    public String shortHash() {
        return this.shortHash;
    }
    
    public String date() {
        return this.date;
    }
    
    static {
        final Path path = getElasticsearchCodebase();
        String shortHash = null;
        String date = null;
        Label_0109: {
            // if (path.toString().endsWith(".jar")) {
            //     try {
            //         final JarInputStream jar = new JarInputStream(Files.newInputStream(path, new OpenOption[0]));
            //         try {
            //             final Manifest manifest = jar.getManifest();
            //             shortHash = manifest.getMainAttributes().getValue("Change");
            //             date = manifest.getMainAttributes().getValue("Build-Date");
            //             jar.close();
            //         }
            //         catch (Throwable t) {
            //             try {
            //                 jar.close();
            //             }
            //             catch (Throwable t2) {
            //                 t.addSuppressed(t2);
            //             }
            //             throw t;
            //         }
            //         break Label_0109;
            //     }
            //     catch (IOException e) {
            //         throw new RuntimeException(e);
            //     }
            // }
            shortHash = "Unknown";
            date = "Unknown";
        }
        CURRENT = new XPackBuild(shortHash, date);
    }
}

重新編譯生成.class文件

cd ${ES_home_dir}/modules/x-pack-core
# 將文件備份一下
cp x-pack-core-7.3.0.jar x-pack-core-7.3.0.jar_bak
# 將jar包拷貝到/opt下進行文件替換操作
cp x-pack-core-7.3.0.jar /opt/

ES_home_dir='/data/local/elasticsearch'
# 生成LicenseVerifier.class文件
javac -cp "${ES_home_dir}/lib/elasticsearch-7.3.0.jar:${ES_home_dir}/lib/lucene-core-8.1.0.jar:${ES_home_dir}/modules/x-pack-core/x-pack-core-7.3.0.jar:${ES_home_dir}/modules/x-pack-core/netty-common-4.1.36.Final.jar:${ES_home_dir}/lib/elasticsearch-core-7.3.0.jar" /root/LicenseVerifier.java
# 生成XPackBuild.class文件
javac -cp "${ES_home_dir}/lib/elasticsearch-7.3.0.jar:${ES_home_dir}/lib/lucene-core-8.1.0.jar:${ES_home_dir}/modules/x-pack-core/x-pack-core-7.3.0.jar:${ES_home_dir}/lib/elasticsearch-core-7.3.0.jar" /root/XPackBuild.java

# 編譯成功后，可以在/root下查看到class文件  這里看你的.java文件在哪里放着
ll /root/*.class
-rw-r--r--. 1 root root  410 Sep 27 09:58 /root/LicenseVerifier.class
-rw-r--r--. 1 root root 1512 Sep 27 10:01 /root/XPackBuild.class

替換.class文件, 並替換jar包

將上邊兩個修改后的文件，上傳到ES服務器上，替換x-pack-core-7.3.0.jar中的源文件

cd /opt

# 查看兩個文件在jar包中的位置
jar -tvf x-pack-core-7.3.0.jar | grep LicenseVerifier
  4786 Wed Jul 24 18:31:58 UTC 2019 org/elasticsearch/license/LicenseVerifier.class
jar -tvf x-pack-core-7.3.0.jar | grep XPackBuild
  2893 Wed Jul 24 18:31:58 UTC 2019 org/elasticsearch/xpack/core/XPackBuild.class

# 解壓jar包
jar -xvf x-pack-core-7.3.0.jar
rm -f x-pack-core-7.3.0.jar
# 替換class
cp /root/LicenseVerifier.class org/elasticsearch/license/
cp /root/XPackBuild.class org/elasticsearch/xpack/core/
# 重新打包成jar包
jar cvf x-pack-core-7.3.0.jar .

cp x-pack-core-7.3.0.jar ${ES_home_dir}/modules/x-pack-core/

此處注意，查看替換后的jar包屬主屬組是否為啟動elasticsearch的用戶。一般來說不會變化，但是確認一遍最好

如果ELK是集群形式部署的，那么所有的ES服務器上都要替換這個文件。直接cp過去替換就可以

申請License

完成以上修改jar包操作后，去ES官網申請一個License，申請地址。然后注冊下來后，會給一個License，是個json格式的，可以手動修改type、expiry_date_in_millis、max_nodes分別修改成platinum(白金版)、2524579200999(過期時間)、1000(最大node節點數量)。

許可證書分有三類GOLD(黃金),PLATINUM(白金),ENTERPRISE(企業). 白金版就可使用所有的x-pack功能

{
  "license": {
    "uid": "40d50156-1e84-41c0-ab11-f72d3135c03b",
    "type": "platinum",
    "issue_date_in_millis": 1601164800000,
    "expiry_date_in_millis": 2524579200999,
    "max_nodes": 1000,
    "issued_to": "kaku moe (Neo)",
    "issuer": "Web Form",
    "signature": "AAAAAwAAAA0jo3zeAbYjqQ2OReAtAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAzFCGOyPC+uYxW7sGJWRYeVvmuwbR/Et7JhbLUKJLZ0UB5bXYDAyS3QMWWmUA31UKyp8w99J8N5gWZXgBTzVXF0VGyvtg6Ox5e+U68f9D1tBjM7r6asgDql7W6fzqgjm4lPQLGVJ1+kycxR1WTZ990QjfZ7eq3cb7nbj3BlszcCQ1b5vzhVmYdktSpL7D4zM1HXAmor7PQO+APt/r2kvRiaqF9rxj5pki73dWxdUkxEIM1gL3QkfVXeT+GRwUPXwnFonaWDSG8abEZ7GNpLB3SzufeKByerhPkKmQBJRaKeD3eTuk57EPzTzZtksxfDUfOKeHynQsHLIIShzC89gDq",
    "start_date_in_millis": 1601164800000
  }
}

文件存為license.json

導入License

• 首先，編輯config/elasticsearch.yml，在最后設置禁用xpack.security. 並啟動ES

  vim config/elasticsearch.yml
  ...
  # Xpack's security certification
  xpack.security.enabled: false
  xpack.security.transport.ssl.enabled: false
  
  su elk
  bin/elasticsearch -d
  

• 導入License

  curl -XPUT -u elastic 'http://172.60.254.11:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
  # 此時提示需要輸入elastic賬號的密碼，直接回車就可以
  Enter host password for user 'elastic':
  {"acknowledged":true,"license_status":"valid"}
  

啟用Xpack

創建ES集群的賬號密碼

導入License成功后，修改elasticsearch.yml配置文件，再把xpack安全認證打開

vim config/elasticsearch.yml
...
# Xpack's security certification
xpack.security.enabled: true

如果沒有生成密碼，可以用下面命令生成elastic的密碼

# 如果需要重新設置密碼,手動設置密碼
./bin/elasticsearch-setup-passwords interactive

# 自動生成密碼：
./bin/elasticsearch-setup-passwords auto

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = tRIKSfXsTTtkg48nDUIz

Changed password for user kibana
PASSWORD kibana = 0tVqPYiYfJDEmB06fCD6

Changed password for user logstash_system
PASSWORD logstash_system = DwZwprw0VFmlxN4vz9T6

Changed password for user beats_system
PASSWORD beats_system = 992PYLq90xCXbzny3xtY

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = N81cmU1XGeXvnYiABUEo

Changed password for user elastic
PASSWORD elastic = Iy7ZIX0pftcxayqodnoK

如果這里報錯：Failed to determine the health of the cluster running at http://172.60.254.11:9200

這是由於臟數據的原因，啟用xpack的時候，集群鏈接失敗

以下步驟只適用於初始創建集群，或者測試環境

1. 停止服務

2. 刪除數據目錄

3. 三個節點只配置xpack.security.enabled: true,啟動

4. 設置密碼

創建證書

現在密碼和License都已經OK了，證書實現集群的加密通信

# 生成CA證書, 一路回車就可以
bin/elasticsearch-certutil ca  （生成的CA證書: elastic-stack-ca.p12）

# 生成節點使用的證書 一路回車就可以
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12   （生成的節點證書: elastic-certificates.p12）

# 將節點證書，放到所有節點的 config目錄下
cp elastic-certificates.p12 /data/local/elasticsearch/config/
# 修改配置文件添加下列參數項
xpack.security.transport.ssl.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.verification_mode: certificate  # 證書驗證級別
xpack.security.transport.ssl.keystore.path: /data/local/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/local/elasticsearch/config/elastic-certificates.p12

啟動集群

su elk
bin/elasticsearch -d

curl -u elastic:Iy7ZIX0pftcxayqodnoK 'http://172.60.254.11:9200/_cat/nodes?'
172.60.254.90 6 77 11 0.94 0.38 0.22 dim * master-data2
172.60.254.98 6 77 14 0.25 0.10 0.08 dim - master-data1
172.60.254.11 6 90 13 0.33 0.16 0.15 i   - client

配置並啟用kibana

vim /data/local/kibana/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://172.60.254.11:9300","http://172.60.254.98:9300","http://172.60.254.90:9300"]
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxxxxxxxxxx"

su elk  # kibana也不能用root啟動
cd /data/local/kibana/bin
screen -dSm kibana ./kibana