hacktricks/network-services-pentesting/9200-pentesting-elasticsearch.md

# 9200 - Kupima Usalama wa Elasticsearch

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Taarifa Msingi

Elasticsearch ni injini ya **utafutaji** na **uchambuzi** iliyosambazwa, ya chanzo wazi kwa **aina zote za data**. Inajulikana kwa **kasi**, **uwezo wa kupanuka**, na **REST APIs rahisi**. Iliyoundwa kwenye Apache Lucene, ilizinduliwa kwanza mnamo 2010 na Elasticsearch N.V. (sasa inajulikana kama Elastic). Elasticsearch ni sehemu kuu ya Elastic Stack, mkusanyiko wa zana za chanzo wazi kwa kuingiza data, kuiboresha, kuihifadhi, kuichambua, na kuivizualisha. Stack hii, inayojulikana kama ELK Stack, pia inajumuisha Logstash na Kibana, na sasa ina mawakala wa usafirishaji wa data nyepesi wanaitwa Beats.

### Ni nini index ya Elasticsearch?

**Index** ya Elasticsearch ni mkusanyiko wa **hati zinazohusiana** zilizohifadhiwa kama **JSON**. Kila hati inajumuisha **funguo** na **thamani zake** zinazolingana (herufi, nambari, boolean, tarehe, mizunguko, geolocations, n.k.).

Elasticsearch hutumia muundo wa data wenye ufanisi unaoitwa **inverted index** kurahisisha utafutaji wa maandishi kamili haraka. Indeksi hii inaorodhesha kila neno pekee katika hati na kutambua hati ambazo kila neno linaonekana.

Wakati wa mchakato wa kuweka alama, Elasticsearch huhifadhi hati na kujenga inverted index, kuruhusu utafutaji karibu wa wakati halisi. **API ya index** hutumiwa kuongeza au kusasisha hati za JSON ndani ya index maalum.

**Bandari ya chaguo**: 9200/tcp

## Uchunguzi wa Kuelekezwa kwa Mkono

### Bango

Itifaki inayotumiwa kufikia Elasticsearch ni **HTTP**. Unapofikia kwa njia ya HTTP utapata habari za kuvutia: `http://10.10.10.115:9200/`

![](<../.gitbook/assets/image (294).png>)

Ikiwa huoni majibu hayo ukiingia `/` tazama sehemu ifuatayo.

### Uthibitishaji

**Kwa chaguo-msingi Elasticsearch haina uthibitishaji ulioanzishwa**, kwa hivyo kwa chaguo-msingi unaweza kupata kila kitu ndani ya hifadhidata bila kutumia anwani yoyote ya kuingia.

Unaweza kuthibitisha kuwa uthibitishaji umefungwa kwa ombi kwa:
```bash
curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"
{"error":{"root_cause":[{"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."}],"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."},"status":500}
```
**Hata hivyo**, ikiwa utatuma ombi kwa `/` na kupokea jibu kama ifuatavyo:
```bash
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
```
Hii inamaanisha kwamba uthibitishaji umewekwa na **unahitaji anwani za siri halali** ili kupata habari yoyote kutoka kwa elasticserach. Kisha, unaweza [**jaribu kuvunja**](../generic-methodologies-and-resources/brute-force.md#elasticsearch) (inatumia HTTP basic auth, kwa hivyo chochote kinachoweza kuvunja HTTP basic auth kinaweza kutumika).\
Hapa una **orodha ya majina ya mtumiaji ya chaguo-msingi**: _**elastic** (mtumiaji wa juu), remote\_monitoring\_user, beats\_system, logstash\_system, kibana, kibana\_system, apm\_system,_ \_anonymous\_.\_ Toleo za zamani za Elasticsearch zina nenosiri la chaguo-msingi **changeme** kwa mtumiaji huyu
```
curl -X GET http://user:password@IP:9200/
```
### Uchambuzi wa Msingi wa Mtumiaji
```bash
#List all roles on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role"

#List all users on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"

#Get more information about the rights of an user:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"
```
### Taarifa za Elastic

Hapa kuna baadhi ya vituo vya mwisho ambavyo unaweza **kupata kupitia GET** ili **kupata** baadhi ya **taarifa** kuhusu elasticsearch:

| \_cat                           | /\_cluster                    | /\_security               |
| ------------------------------- | ----------------------------- | ------------------------- |
| /\_cat/segments                 | /\_cluster/allocation/explain | /\_security/user          |
| /\_cat/shards                   | /\_cluster/settings           | /\_security/privilege     |
| /\_cat/repositories             | /\_cluster/health             | /\_security/role\_mapping |
| /\_cat/recovery                 | /\_cluster/state              | /\_security/role          |
| /\_cat/plugins                  | /\_cluster/stats              | /\_security/api\_key      |
| /\_cat/pending\_tasks           | /\_cluster/pending\_tasks     |                           |
| /\_cat/nodes                    | /\_nodes                      |                           |
| /\_cat/tasks                    | /\_nodes/usage                |                           |
| /\_cat/templates                | /\_nodes/hot\_threads         |                           |
| /\_cat/thread\_pool             | /\_nodes/stats                |                           |
| /\_cat/ml/trained\_models       | /\_tasks                      |                           |
| /\_cat/transforms/\_all         | /\_remote/info                |                           |
| /\_cat/aliases                  |                               |                           |
| /\_cat/allocation               |                               |                           |
| /\_cat/ml/anomaly\_detectors    |                               |                           |
| /\_cat/count                    |                               |                           |
| /\_cat/ml/data\_frame/analytics |                               |                           |
| /\_cat/ml/datafeeds             |                               |                           |
| /\_cat/fielddata                |                               |                           |
| /\_cat/health                   |                               |                           |
| /\_cat/indices                  |                               |                           |
| /\_cat/master                   |                               |                           |
| /\_cat/nodeattrs                |                               |                           |
| /\_cat/nodes                    |                               |                           |

Vituo hivi vilitolewa kutoka kwenye [**hati ya maelezo**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) ambapo unaweza **kupata zaidi**.\
Pia, ukikagua `/_cat` jibu litajumuisha vituo vya `/_cat/*` vinavyoungwa mkono na kifaa.

Katika `/_security/user` (ikiwa uthibitishaji umewezeshwa) unaweza kuona ni mtumiaji yupi ana jukumu la `superuser`.

### Viashiria

Unaweza **kusanya viashiria vyote** kwa kufikia `http://10.10.10.115:9200/_cat/indices?v`
```
health status index   uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana 6tjAYZrgQ5CwwR0g6VOoRg   1   0          1            0        4kb            4kb
yellow open   quotes  ZG2D1IqkQNiNZmi2HRImnQ   5   1        253            0    262.7kb        262.7kb
yellow open   bank    eSVpNfCfREyYoVigNWcrMw   5   1       1000            0    483.2kb        483.2kb
```
Kupata **taarifa kuhusu aina gani ya data imehifadhiwa ndani ya index** unaweza kupata: `http://host:9200/<index>` kama vile katika kesi hii `http://10.10.10.115:9200/bank`

![](<../.gitbook/assets/image (342).png>)

### Dump index

Ikiwa unataka **kudump yaliyomo yote** ya index unaweza kupata: `http://host:9200/<index>/_search?pretty=true` kama vile `http://10.10.10.115:9200/bank/_search?pretty=true`

![](<../.gitbook/assets/image (914).png>)

_Chukua muda wa kulinganisha yaliyomo ya kila hati (entry) ndani ya index ya bank na mashamba ya index hii tuliyoyaona katika sehemu iliyopita._

Kwa hivyo, kufikia wakati huu unaweza kugundua kwamba **kuna shamba linaloitwa "jumla" ndani ya "hits"** ambalo linaonyesha kwamba **hati 1000 zilipatikana** ndani ya index hii lakini ni 10 tu zilizopatikana. Hii ni kwa sababu **kwa chaguo-msingi kuna kikomo cha hati 10**.\
Lakini, sasa unajua kwamba **index hii ina hati 1000**, unaweza **kudump zote** ukionyesha idadi ya hati unazotaka kudump kwenye parameter ya **`size`**: `http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000`asd\
_Nota: Ikiwa unaonyesha idadi kubwa zaidi, hati zote zitadump bado, kwa mfano unaweza kuonyesha `size=9999` na itakuwa ajabu ikiwa kulikuwa na hati zaidi (lakini unapaswa kuhakiki)._

### Dump all

Kwa lengo la kudump zote unaweza tu kwenda kwenye **njia ile ile kama awali lakini bila kuonyesha index yoyote** `http://host:9200/_search?pretty=true` kama vile `http://10.10.10.115:9200/_search?pretty=true`\
Kumbuka kwamba katika kesi hii **kikomo cha chaguo-msingi cha 10** kitatumika. Unaweza kutumia parameter ya `size` kudump **idadi kubwa ya matokeo**. Soma sehemu iliyopita kwa maelezo zaidi.

### Tafuta

Ikiwa unatafuta taarifa fulani unaweza kufanya **utafutaji wa moja kwa moja kwenye indices zote** kwa kwenda `http://host:9200/_search?pretty=true&q=<search_term>` kama vile `http://10.10.10.115:9200/_search?pretty=true&q=Rockwell`

![](<../.gitbook/assets/image (335).png>)

Ikiwa unataka **kutafuta kwenye index** unaweza tu **kuweka wazi** kwenye **njia**: `http://host:9200/<index>/_search?pretty=true&q=<search_term>`

_Tafadhali elewa kwamba parameter ya q iliyotumika kutafuta maudhui **inakubali mizani ya kawaida**_

Unaweza pia kutumia kitu kama [https://github.com/misalabs/horuz](https://github.com/misalabs/horuz) kufanya utafutaji wa elasticsearch.
```bash
curl -X POST '10.10.10.115:9200/bookindex/books' -H 'Content-Type: application/json' -d'
{
"bookId" : "A00-3",
"author" : "Sankaran",
"publisher" : "Mcgrahill",
"name" : "how to get a job"
}'
```
Hicho cmd kitazalisha **index mpya** inayoitwa `bookindex` na hati ya aina `books` ambayo ina sifa "_bookId_", "_author_", "_publisher_" na "_name_"

Tambua jinsi **index mpya inavyoonekana sasa kwenye orodha**:

![](<../.gitbook/assets/image (130).png>)

Na uzingatie **mali zilizoundwa kiotomatiki**:

![](<../.gitbook/assets/image (434).png>)

## Uchambuzi wa Kiotomatiki

Baadhi ya zana zitapata baadhi ya data iliyotajwa hapo awali:
```bash
msf > use auxiliary/scanner/elasticsearch/indices_enum
```
{% embed url="https://github.com/theMiddleBlue/nmap-elasticsearch-nse" %}

## Shodan

* `port:9200 elasticsearch`

<details>

<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>