Kibana - Port 5601

Basic info

Kibana is known for its ability to search and visualize data within Elasticsearch, typically running on port 5601. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions.

• Default port: 5601/tcp (Kibana UI).

Quick Recon

1. Nmap

nmap -sV -p5601 --script=http-title,http-headers <target>
nmap -p9200 -sV --script=http-elasticsearch* <target>

• Visit the UI in a browser: http://<ip>:5601 or https://<ip>:5601 and check the login flow.

• Check headers and cookies for session/auth patterns.

Look for headers like kbn-name, kbn-version or server: nginx reverse proxies. Query Elasticsearch directly if reachable (9200):

curl -sI http://<ip>:9200/ | head -n 20
curl -s http://<ip>:9200/ | jq .

1. Kibana UI discovery

Open http(s)://<ip>:5601/app/kibana and /app/management to inspect login flow, SSO header usage, and presence of Console (/app/dev_tools#/console). The Console provides direct ES API access from the browser context.

1. mappings & indices

If you can query ES, enumerate indices and mappings (important for finding credentials in logs or configs):

curl -s 'http://<ip>:9200/_cat/indices?v' | sed -n '1,200p'
curl -s 'http://<ip>:9200/<index>/_mapping?pretty' | jq '.'

Search for indices named .*credential.*, .*auth.*, .*config.*, logs-* or application names.

Authentication & Configs to Inspect

Kibana authentication is typically backed by Elasticsearch security (X-Pack). If Elasticsearch has security disabled, Kibana often accepts anonymous access. Check kibana.yml for relevant settings (commonly at /etc/kibana/kibana.yml):

server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
# Search for any hardcoded credentials or API keys

• Credentials found in config may not be kibana_system — those credentials could allow broader access if misused.

Gaining Programmatic Access (safe methods to test)

1) Kibana Console abuse (browser context)

If Kibana login is bypassed or you have a low-priv shell account, the Console (/app/dev_tools#/console) allows arbitrary ES queries executed with the Kibana service credentials. Use it to test data access and create API keys.

Create an API key via the Kibana Console:

POST _security/api_key
{
    "name": "test_key_from_console",
    "role_descriptors": { "rb": { "cluster": ["all"], "index": [{ "names": ["*"], "privileges": ["all"] }] } }
}

This returns an id and api_key you can use in Authorization: ApiKey <base64(id:api_key)> headers.

2) Using Curl (if ES HTTP API reachable)

# list users
curl -s -u 'kibana_system:password' http://<ip>:9200/_security/user | jq '.'

# create API key (returns id & api_key)
curl -s -u kibana_system:password -X POST "http://<ip>:9200/_security/api_key" -H 'Content-Type: application/json' -d '{"name":"rk_key","expiration":"30d","role_descriptors":{"r":{"cluster":["monitor"],"index":[{"names":["*"] ,"privileges":["read"]}]}}}' | jq '.'

Note: If kibana_system creds are in kibana.yml and they’re not kibana_system scoped, they may give broader ES access. Always check kibana.yml safely via a host shell if available.

Offensive Checklist (if you gain access)

1. Enumerate indices & data

# Using curl against Elasticsearch if proxy/API access available
curl -s "http://localhost:9200/_cat/indices?v"
curl -s "http://localhost:9200/<index>/_search?size=50&q=*" | jq '.'

1. Check Users / Roles / API Keys

• In Kibana: Stack Management → Security → Users / Roles / API Keys

• If you can create API keys, you can pivot programmatically.

1. Version & Known CVEs

• Identify Kibana/ES version (footer in UI or GET / on ES). Search for known CVEs — e.g., older versions (<6.6.0) had RCE bugs in certain plugins and features. Always verify with vendor advisories.

1. Check for saved objects & visualizations that allow scripting

• Visualizations and scripted fields can sometimes be abused to inject payloads or to expose sensitive fields.

Post‑Exploitation & Data Exfil

• Extract sensitive documents from indices (credentials, PII, logs). Use pagination and _search API to pull data.

• Create API keys or service users for long-lived access (audit logs permitting).

Hardening & Defender Checklist

1. Network controls

• Block access to 5601/tcp from public/untrusted networks. Use VPNs or management subnets for admin access.

1. Enable authentication & TLS

• Enable Elasticsearch security features (TLS + basic auth or SSO). Do not run ES without security in production.

1. Least privilege

• Ensure kibana_system is used only for Kibana, and admin users are limited.

1. Keep versions patched

• Upgrade to latest minor/major fixes; monitor Elastic advisories for RCE or privilege escalation CVEs.

1. Audit & monitor

• Enable audit logging and alert on new API keys, user creation, or unusual index export patterns.

1. Config hygiene

• Remove hardcoded credentials from kibana.yml or vault them. Avoid running Kibana on 0.0.0.0 if unnecessary.

Quick commands to enable basic safety:

# Example: restrict bind address (kibana.yml)
server.host: "127.0.0.1"
# Or firewall rule
ufw deny from any to any port 5601 proto tcp

Detection Ideas

• IDS/IPS: alert on connections to port 5601 from unusual sources.

• SIEM: flag high-volume _search requests or API key creation events.

• Network: block mgt plane access to Elasticsearch/Kibana from the internet.