diff --git a/pentesting/9200-pentesting-elasticsearch.md b/pentesting/9200-pentesting-elasticsearch.md
index 6dc8c43c8..d9a067e9d 100644
--- a/pentesting/9200-pentesting-elasticsearch.md
+++ b/pentesting/9200-pentesting-elasticsearch.md
@@ -18,12 +18,61 @@ During the indexing process, Elasticsearch stores documents and builds an invert
 
 ## Manual Enumeration
 
-### Elasticsearch information
+### Banner
 
 The protocol used to access Elasticsearch is **HTTP**. When you access it via HTTP you will find some interesting information: `http://10.10.10.115:9200/`
 
 ![](../.gitbook/assets/image%20%28131%29.png)
 
+If you don't see that response accessing `/` see the following section.
+
+### Authentication
+
+**By default Elasticsearch doesn't have authentication enabled**, so by default you can access everything inside the database without using any credentials.  
+**However**, if you send a request to `/` and receives a response like the following one:
+
+```bash
+{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
+```
+
+That will means that authentication is configured an you need valid credentials to obtain any info from elasticserach. Then, you can **try to bruteforce it** \(it uses HTTP basic auth, so anything that BF HTTP basic auth can be used\).
+
+### Elastic Info
+
+Here are some endpoints that you can **access via GET** to **obtain** some **information** about elasticsearch:
+
+| \_cat | /\_cluster | /\_security |
+| :--- | :--- | :--- |
+| /\_cat/segments | /\_cluster/allocation/explain | /\_security/user |
+| /\_cat/shards | /\_cluster/settings | /\_security/privilege |
+| /\_cat/repositories | /\_cluster/health | /\_security/role\_mapping |
+| /\_cat/recovery | /\_cluster/state | /\_security/role |
+| /\_cat/plugins | /\_cluster/stats | /\_security/api\_key |
+| /\_cat/pending\_tasks | /\_cluster/pending\_tasks |  |
+| /\_cat/nodes | /\_nodes |  |
+| /\_cat/tasks | /\_nodes/usage |  |
+| /\_cat/templates | /\_nodes/hot\_threads |  |
+| /\_cat/thread\_pool | /\_nodes/stats |  |
+| /\_cat/ml/trained\_models | /\_tasks |  |
+| /\_cat/transforms/\_all | /\_remote/info |  |
+| /\_cat/aliases |  |  |
+| /\_cat/allocation |  |  |
+| /\_cat/ml/anomaly\_detectors |  |  |
+| /\_cat/count |  |  |
+| /\_cat/ml/data\_frame/analytics |  |  |
+| /\_cat/ml/datafeeds |  |  |
+| /\_cat/fielddata |  |  |
+| /\_cat/health |  |  |
+| /\_cat/indices |  |  |
+| /\_cat/master |  |  |
+| /\_cat/nodeattrs |  |  |
+| /\_cat/nodes |  |  |
+
+These endpoints were [**taken from the documentation**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) where you can **find more**.  
+Also, if you access `/_cat` the response will contain the `/_cat/*` endpoints supported by the instance.
+
+In `/_security/user` \(if auth enabled\) you can see which user has role `superuser`. 
+
 ### Indices
 
 You can **gather all the indices** accessing `http://10.10.10.115:9200/_cat/indices?v`