ElasticSearch7.3破解

破解ES7.3.0到白金版(学习交流使用)

正常安装ELK7.3版本到服务器上

正常部署ELK7到服务器上，先不要启动。然后开始进行破解操作

进行破解操作

需要破解的文件：modules/x-pack-core/x-pack-core-7.3.0.jar

用来反编译jar的工具：IDEA或者Luyten

x-pack从6.0开始，已经内置在了Elasticsearch中，只需要配置开启就可以使用(30天的试用期)

如果Mac使用Luyten，则需要安装JDK8版本 其他版本可能会导致打不开

需要修改x-pack的相关源码的文件

x-pack的lisence的校验主要是这两个文件

1. 验证licence是否有效：org.elasticsearch.license.LicenseVerifier
2. 验证jar包是否被修改：org.elasticsearch.xpack.core.XPackBuild

先用Luyten打开jar包，找到这两个文件LicenseVerifier.class和XPackBuild.class，另存为后缀改成.java(LicenseVerifier.java和XPackBuild.java)

修改LicenseVerifier.java

直接修改两个静态方法，返回true

package org.elasticsearch.license;

import java.nio.*;
import org.elasticsearch.common.bytes.*;
import java.security.*;
import java.util.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.core.internal.io.*;
import java.io.*;

public class LicenseVerifier
{
    public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
        return true;
    }

    public static boolean verifyLicense(final License license) {
        return true;
    }
}

修改XPackBuild.java

最后一个静态代码块中 try的部分全部删除

package org.elasticsearch.xpack.core;

import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;

public class XPackBuild
{
    public static final XPackBuild CURRENT;
    private String shortHash;
    private String date;

    @SuppressForbidden(reason = "looks up path of xpack.jar directly")
    static Path getElasticsearchCodebase() {
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try {
            return PathUtils.get(url.toURI());
        }
        catch (URISyntaxException bogus) {
            throw new RuntimeException(bogus);
        }
    }

    XPackBuild(final String shortHash, final String date) {
        this.shortHash = shortHash;
        this.date = date;
    }

    public String shortHash() {
        return this.shortHash;
    }

    public String date() {
        return this.date;
    }

    static {
        final Path path = getElasticsearchCodebase();
        String shortHash = null;
        String date = null;
        Label_0109: {
            // if (path.toString().endsWith(".jar")) {
            //     try {
            //         final JarInputStream jar = new JarInputStream(Files.newInputStream(path, new OpenOption[0]));
            //         try {
            //             final Manifest manifest = jar.getManifest();
            //             shortHash = manifest.getMainAttributes().getValue("Change");
            //             date = manifest.getMainAttributes().getValue("Build-Date");
            //             jar.close();
            //         }
            //         catch (Throwable t) {
            //             try {
            //                 jar.close();
            //             }
            //             catch (Throwable t2) {
            //                 t.addSuppressed(t2);
            //             }
            //             throw t;
            //         }
            //         break Label_0109;
            //     }
            //     catch (IOException e) {
            //         throw new RuntimeException(e);
            //     }
            // }
            shortHash = "Unknown";
            date = "Unknown";
        }
        CURRENT = new XPackBuild(shortHash, date);
    }
}

重新编译生成.class文件

cd ${ES_home_dir}/modules/x-pack-core
# 将文件备份一下
cp x-pack-core-7.3.0.jar x-pack-core-7.3.0.jar_bak
# 将jar包拷贝到/opt下进行文件替换操作
cp x-pack-core-7.3.0.jar /opt/

ES_home_dir='/data/local/elasticsearch'
# 生成LicenseVerifier.class文件
javac -cp "${ES_home_dir}/lib/elasticsearch-7.3.0.jar:${ES_home_dir}/lib/lucene-core-8.1.0.jar:${ES_home_dir}/modules/x-pack-core/x-pack-core-7.3.0.jar:${ES_home_dir}/modules/x-pack-core/netty-common-4.1.36.Final.jar:${ES_home_dir}/lib/elasticsearch-core-7.3.0.jar" /root/LicenseVerifier.java
# 生成XPackBuild.class文件
javac -cp "${ES_home_dir}/lib/elasticsearch-7.3.0.jar:${ES_home_dir}/lib/lucene-core-8.1.0.jar:${ES_home_dir}/modules/x-pack-core/x-pack-core-7.3.0.jar:${ES_home_dir}/lib/elasticsearch-core-7.3.0.jar" /root/XPackBuild.java

# 编译成功后，可以在/root下查看到class文件  这里看你的.java文件在哪里放着
ll /root/*.class
-rw-r--r--. 1 root root  410 Sep 27 09:58 /root/LicenseVerifier.class
-rw-r--r--. 1 root root 1512 Sep 27 10:01 /root/XPackBuild.class

替换.class文件, 并替换jar包

将上边两个修改后的文件，上传到ES服务器上，替换x-pack-core-7.3.0.jar中的源文件

cd /opt

# 查看两个文件在jar包中的位置
jar -tvf x-pack-core-7.3.0.jar | grep LicenseVerifier
  4786 Wed Jul 24 18:31:58 UTC 2019 org/elasticsearch/license/LicenseVerifier.class
jar -tvf x-pack-core-7.3.0.jar | grep XPackBuild
  2893 Wed Jul 24 18:31:58 UTC 2019 org/elasticsearch/xpack/core/XPackBuild.class

# 解压jar包
jar -xvf x-pack-core-7.3.0.jar
rm -f x-pack-core-7.3.0.jar
# 替换class
cp /root/LicenseVerifier.class org/elasticsearch/license/
cp /root/XPackBuild.class org/elasticsearch/xpack/core/
# 重新打包成jar包
jar cvf x-pack-core-7.3.0.jar .

cp x-pack-core-7.3.0.jar ${ES_home_dir}/modules/x-pack-core/

此处注意，查看替换后的jar包属主属组是否为启动elasticsearch的用户。一般来说不会变化，但是确认一遍最好

如果ELK是集群形式部署的，那么所有的ES服务器上都要替换这个文件。直接cp过去替换就可以

申请License

完成以上修改jar包操作后，去ES官网申请一个License，申请地址。然后注册下来后，会给一个License，是个json格式的，可以手动修改type、expiry_date_in_millis、max_nodes分别修改成platinum(白金版)、2524579200999(过期时间)、1000(最大node节点数量)。

许可证书分有三类GOLD(黄金),PLATINUM(白金),ENTERPRISE(企业). 白金版就可使用所有的x-pack功能

{
  "license": {
    "uid": "40d50156-1e84-41c0-ab11-f72d3135c03b",
    "type": "platinum",
    "issue_date_in_millis": 1601164800000,
    "expiry_date_in_millis": 2524579200999,
    "max_nodes": 1000,
    "issued_to": "kaku moe (Neo)",
    "issuer": "Web Form",
    "signature": "AAAAAwAAAA0jo3zeAbYjqQ2OReAtAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAzFCGOyPC+uYxW7sGJWRYeVvmuwbR/Et7JhbLUKJLZ0UB5bXYDAyS3QMWWmUA31UKyp8w99J8N5gWZXgBTzVXF0VGyvtg6Ox5e+U68f9D1tBjM7r6asgDql7W6fzqgjm4lPQLGVJ1+kycxR1WTZ990QjfZ7eq3cb7nbj3BlszcCQ1b5vzhVmYdktSpL7D4zM1HXAmor7PQO+APt/r2kvRiaqF9rxj5pki73dWxdUkxEIM1gL3QkfVXeT+GRwUPXwnFonaWDSG8abEZ7GNpLB3SzufeKByerhPkKmQBJRaKeD3eTuk57EPzTzZtksxfDUfOKeHynQsHLIIShzC89gDq",
    "start_date_in_millis": 1601164800000
  }
}

文件存为license.json

导入License

• 首先，编辑config/elasticsearch.yml，在最后设置禁用xpack.security. 并启动ES

  vim config/elasticsearch.yml
  ...
  # Xpack's security certification
  xpack.security.enabled: false
  xpack.security.transport.ssl.enabled: false
  
  su elk
  bin/elasticsearch -d
  

• 导入License

  curl -XPUT -u elastic 'http://172.60.254.11:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
  # 此时提示需要输入elastic账号的密码，直接回车就可以
  Enter host password for user 'elastic':
  {"acknowledged":true,"license_status":"valid"}
  

启用Xpack

创建ES集群的账号密码

导入License成功后，修改elasticsearch.yml配置文件，再把xpack安全认证打开

vim config/elasticsearch.yml
...
# Xpack's security certification
xpack.security.enabled: true

如果没有生成密码，可以用下面命令生成elastic的密码

# 如果需要重新设置密码,手动设置密码
./bin/elasticsearch-setup-passwords interactive

# 自动生成密码：
./bin/elasticsearch-setup-passwords auto

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y

Changed password for user apm_system
PASSWORD apm_system = tRIKSfXsTTtkg48nDUIz

Changed password for user kibana
PASSWORD kibana = 0tVqPYiYfJDEmB06fCD6

Changed password for user logstash_system
PASSWORD logstash_system = DwZwprw0VFmlxN4vz9T6

Changed password for user beats_system
PASSWORD beats_system = 992PYLq90xCXbzny3xtY

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = N81cmU1XGeXvnYiABUEo

Changed password for user elastic
PASSWORD elastic = Iy7ZIX0pftcxayqodnoK

如果这里报错：Failed to determine the health of the cluster running at http://172.60.254.11:9200

这是由于脏数据的原因，启用xpack的时候，集群链接失败

以下步骤只适用于初始创建集群，或者测试环境

1. 停止服务

2. 删除数据目录

3. 三个节点只配置xpack.security.enabled: true,启动

4. 设置密码

创建证书

现在密码和License都已经OK了，证书实现集群的加密通信

# 生成CA证书, 一路回车就可以
bin/elasticsearch-certutil ca  （生成的CA证书: elastic-stack-ca.p12）

# 生成节点使用的证书 一路回车就可以
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12   （生成的节点证书: elastic-certificates.p12）

# 将节点证书，放到所有节点的 config目录下
cp elastic-certificates.p12 /data/local/elasticsearch/config/
# 修改配置文件添加下列参数项
xpack.security.transport.ssl.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.verification_mode: certificate  # 证书验证级别
xpack.security.transport.ssl.keystore.path: /data/local/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/local/elasticsearch/config/elastic-certificates.p12

启动集群

su elk
bin/elasticsearch -d

curl -u elastic:Iy7ZIX0pftcxayqodnoK 'http://172.60.254.11:9200/_cat/nodes?'
172.60.254.90 6 77 11 0.94 0.38 0.22 dim * master-data2
172.60.254.98 6 77 14 0.25 0.10 0.08 dim - master-data1
172.60.254.11 6 90 13 0.33 0.16 0.15 i   - client

配置并启用kibana

vim /data/local/kibana/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://172.60.254.11:9300","http://172.60.254.98:9300","http://172.60.254.90:9300"]
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxxxxxxxxxx"

su elk  # kibana也不能用root启动
cd /data/local/kibana/bin
screen -dSm kibana ./kibana