Exposure of Grafana and Prometheus metrics (/debug/pprof)

Varshini Ramesh
2 min readFeb 22, 2023

--

I always have had an interest in recon. Recon is the primary and essential step in pen testing. So please do give more importance to Reconnaissance.

What is Reconnaissance?

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim's organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to the scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts. — MITRE Website

Reconnaissance is split up into 2 categories based on the type of interaction with the target:

  1. Active reconnaissance — Actively engaging/interacting with the target network, hosts, employees, etc. (Port scanning, vuln scans, web app scanning)
  2. Passive reconnaissance — Utilizing publicly available information. (whois, OSINT, DNS, search engine dorks)

A search engine dork refers to search engine syntax which allows users to filter the type of results they get.

What I did to find an endpoint to identify /debug/pprof of grafana or Prometheus metrics:

First recon the website by using the Subdomain finder so I used https://subdomainfinder.c99.nl/ this website gives a decent number of subdomains of websites. You can use many tools such as

Sublist3r
httpx
knock
sub404

Active Scanning

  1. Port Scanning
  2. Vulnerability scanning
  3. Website Directory brute-force

After doing this I took this list into a tool called nuclei. It started crawling all the endpoints. WOW, what a tool it gave out good results.

TOOL: https://github.com/projectdiscovery/nuclei

The results were those endpoint /debug/pprof were exposed to public ports. This was very sensitive information and exposure.

SEE MY PROFILE IF YOU WISH TO:

https://www.linkedin.com/in/varshini-ramesh1408/

I’m just on LinkedIn not there on any social media platforms sorry:(.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Varshini Ramesh
Varshini Ramesh

Written by Varshini Ramesh

||Pentester||Technophile||Papyrophiliac||Astrophile||

No responses yet

Write a response