NATS
High-performance messaging system on 4222, with an HTTP monitoring port on 8222. Often deployed without authentication — subscribe to the '>' wildcard and every message on the bus streams to you.
Ports
| Port | Proto | Notes |
|---|---|---|
4222 | tcp | NATS client protocol |
8222 | tcp | HTTP monitoring |
6222 | tcp | cluster routing |
Fingerprint
- Connecting returns an INFO JSON line with version + auth_required
- 8222 serves /varz, /connz monitoring JSON
Exploitation primitives
- INFO line reveals whether auth_required is false (open bus)
- Subscribe to '>' (all subjects) and read every message — often app data and creds
- Monitoring port (/connz, /subsz) leaks clients and subjects
Overview
NATS on 4222 is a fast message bus. If auth_required is false, you can read everything flowing across it.
Enumeration
Grab the INFO banner (check auth_required):
nc -nv <TARGET> 4222Monitoring JSON (clients, subjects):
curl -s http://<TARGET>:8222/connz | jqSubscribe to everything
nats -s nats://<TARGET>:4222 sub ">"Hardening
Require token/user-password or NKEY/JWT auth, disable the open monitoring port externally, and use TLS.