Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2020-07-17 23:09:57 +00:00 committed by gitbook-bot
parent dcb1a62f8e
commit 18c50dbb4f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 50 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
pentesting/9200-pentesting-elasticsearch.md
View file

@ -18,12 +18,61 @@ During the indexing process, Elasticsearch stores documents and builds an invert
## Manual Enumeration ## Manual Enumeration
### Elasticsearch information ### Banner
The protocol used to access Elasticsearch is **HTTP**. When you access it via HTTP you will find some interesting information: `http://10.10.10.115:9200/` The protocol used to access Elasticsearch is **HTTP**. When you access it via HTTP you will find some interesting information: `http://10.10.10.115:9200/`
![](../.gitbook/assets/image%20%28131%29.png) ![](../.gitbook/assets/image%20%28131%29.png)
If you don't see that response accessing `/` see the following section.
### Authentication
**By default Elasticsearch doesn't have authentication enabled**, so by default you can access everything inside the database without using any credentials.
**However**, if you send a request to `/` and receives a response like the following one:
```bash
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
```
That will means that authentication is configured an you need valid credentials to obtain any info from elasticserach. Then, you can **try to bruteforce it** \(it uses HTTP basic auth, so anything that BF HTTP basic auth can be used\).
### Elastic Info
Here are some endpoints that you can **access via GET** to **obtain** some **information** about elasticsearch:
| \_cat | /\_cluster | /\_security |
| :--- | :--- | :--- |
| /\_cat/segments | /\_cluster/allocation/explain | /\_security/user |
| /\_cat/shards | /\_cluster/settings | /\_security/privilege |
| /\_cat/repositories | /\_cluster/health | /\_security/role\_mapping |
| /\_cat/recovery | /\_cluster/state | /\_security/role |
| /\_cat/plugins | /\_cluster/stats | /\_security/api\_key |
| /\_cat/pending\_tasks | /\_cluster/pending\_tasks | |
| /\_cat/nodes | /\_nodes | |
| /\_cat/tasks | /\_nodes/usage | |
| /\_cat/templates | /\_nodes/hot\_threads | |
| /\_cat/thread\_pool | /\_nodes/stats | |
| /\_cat/ml/trained\_models | /\_tasks | |
| /\_cat/transforms/\_all | /\_remote/info | |
| /\_cat/aliases | | |
| /\_cat/allocation | | |
| /\_cat/ml/anomaly\_detectors | | |
| /\_cat/count | | |
| /\_cat/ml/data\_frame/analytics | | |
| /\_cat/ml/datafeeds | | |
| /\_cat/fielddata | | |
| /\_cat/health | | |
| /\_cat/indices | | |
| /\_cat/master | | |
| /\_cat/nodeattrs | | |
| /\_cat/nodes | | |
These endpoints were [**taken from the documentation**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) where you can **find more**.
Also, if you access `/_cat` the response will contain the `/_cat/*` endpoints supported by the instance.
In `/_security/user` \(if auth enabled\) you can see which user has role `superuser`.
### Indices ### Indices
You can **gather all the indices** accessing `http://10.10.10.115:9200/_cat/indices?v` You can **gather all the indices** accessing `http://10.10.10.115:9200/_cat/indices?v`