Elasticsearch Pentesting

Default Port: 9200

Elasticsearch is a search and analytics engine. As a distributed, JSON-based search and analytics engine, Elasticsearch provides fast search speeds, complex querying, and large-scale data storage capabilities.

Elasticsearch is commonly used to search, analyze, and visualize data with uncertain or complex structures, such as text, numerical data, and time-series data.

Connect

Connecting to Elasticsearch

curl -X GET "<target-ip>:<target-port>"

Kibana Interface

You can use tools like Kibana to explore and manage Elasticsearch.

Recon

Identifying an Elasticsearch Server

You can determine the presence of an Elasticsearch server using Nmap:

nmap -p 9200 X.X.X.X

nc -nv X.X.X.X 9200

Enumeration

Elasticsearch Cluster Information

To get Elasticsearch cluster information, you can use the following command:

curl -X GET "<target-ip>:<target-port>/_cluster/health?pretty"

Listing Elasticsearch Indices

curl -X GET "<target-ip>:<target-port>/_cat/indices?v"

Attack Vectors

Default Credentials

Check for default credentials or weak authentication configurations.

Unauthorized Access

Search for Elasticsearch targets and gain unauthorized access.

Data Breach

Gain access to sensitive data by unauthorized access to the Elasticsearch server.

Post-Exploitation

Common Elasticsearch Commands

Command	Description
curl -X GET "<target-ip>:<target-port>"	Sends an HTTP GET request to the Elasticsearch server.
curl -X PUT "<target-ip>:<target-port>"	Sends an HTTP PUT request to the Elasticsearch server.
curl -X DELETE "<target-ip>:<target-port>"	Sends an HTTP DELETE request to the Elasticsearch server.

Elasticsearch Pentesting

Connect​

Connecting to Elasticsearch​

Kibana Interface​

Recon​

Identifying an Elasticsearch Server​

HTTP Banner Grabbing​

Enumeration​

Elasticsearch Cluster Information​

Listing Elasticsearch Indices​

Attack Vectors​

Default Credentials​

Unauthorized Access​

Data Breach​

Post-Exploitation​

Common Elasticsearch Commands​