# Kibana - Port 5601 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic info Kibana is known for its ability to search and visualize data within Elasticsearch, typically running on port **5601**. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions. * **Default port:** `5601/tcp` (Kibana UI). *** ### Quick Recon 1. **Nmap** ```bash nmap -sV -p5601 --script=http-title,http-headers nmap -p9200 -sV --script=http-elasticsearch* ``` * Visit the UI in a browser: `http://:5601` or `https://:5601` and check the login flow. * Check headers and cookies for session/auth patterns. Look for headers like `kbn-name`, `kbn-version` or `server: nginx` reverse proxies. Query Elasticsearch directly if reachable (9200): ``` curl -sI http://:9200/ | head -n 20 curl -s http://:9200/ | jq . ``` 2. **Kibana UI discovery** Open `http(s)://:5601/app/kibana` and `/app/management` to inspect login flow, SSO header usage, and presence of Console (`/app/dev_tools#/console`). The Console provides direct ES API access from the browser context. 3. **mappings & indices** If you can query ES, enumerate indices and mappings (important for finding credentials in logs or configs): ``` curl -s 'http://:9200/_cat/indices?v' | sed -n '1,200p' curl -s 'http://:9200//_mapping?pretty' | jq '.' ``` Search for indices named `.*credential.*`, `.*auth.*`, `.*config.*`, `logs-*` or application names. *** ### Authentication & Configs to Inspect Kibana authentication is typically backed by Elasticsearch security (X-Pack). If Elasticsearch has security disabled, Kibana often accepts anonymous access. Check `kibana.yml` for relevant settings (commonly at `/etc/kibana/kibana.yml`): ```yaml server.host: "0.0.0.0" elasticsearch.hosts: ["http://localhost:9200"] # Search for any hardcoded credentials or API keys ``` * Credentials found in config may not be `kibana_system` β€” those credentials could allow broader access if misused. ### Gaining Programmatic Access (safe methods to test) #### 1) Kibana Console abuse (browser context) If Kibana login is bypassed or you have a low-priv shell account, the Console (`/app/dev_tools#/console`) allows arbitrary ES queries executed with the Kibana service credentials. Use it to test data access and create API keys. **Create an API key via the Kibana Console:** ``` POST _security/api_key { "name": "test_key_from_console", "role_descriptors": { "rb": { "cluster": ["all"], "index": [{ "names": ["*"], "privileges": ["all"] }] } } } ``` This returns an `id` and `api_key` you can use in `Authorization: ApiKey ` headers. #### 2) Using Curl (if ES HTTP API reachable) 
# list users
curl -s -u 'kibana_system:password' http://<ip>:9200/_security/user | jq '.'

# create API key (returns id & api_key)
curl -s -u kibana_system:password -X POST "http://<ip>:9200/_security/api_key" -H 'Content-Type: application/json' -d '{"name":"rk_key","expiration":"30d","role_descriptors":{"r":{"cluster":["monitor"],"index":[{"names":["*"] ,"privileges":["read"]}]}}}' | jq '.'
**Note:** If `kibana_system` creds are in `kibana.yml` and they’re not `kibana_system` scoped, they may give broader ES access. Always check `kibana.yml` safely via a host shell if available. *** ### Offensive Checklist (if you gain access) 1. **Enumerate indices & data** ```bash # Using curl against Elasticsearch if proxy/API access available curl -s "http://localhost:9200/_cat/indices?v" curl -s "http://localhost:9200//_search?size=50&q=*" | jq '.' ``` 2. **Check Users / Roles / API Keys** * In Kibana: Stack Management β†’ Security β†’ Users / Roles / API Keys * If you can create API keys, you can pivot programmatically. 3. **Version & Known CVEs** * Identify Kibana/ES version (footer in UI or `GET /` on ES). Search for known CVEs β€” e.g., older versions (<6.6.0) had RCE bugs in certain plugins and features. Always verify with vendor advisories. 4. **Check for saved objects & visualizations that allow scripting** * Visualizations and scripted fields can sometimes be abused to inject payloads or to expose sensitive fields. *** ### Post‑Exploitation & Data Exfil * Extract sensitive documents from indices (credentials, PII, logs). Use pagination and `_search` API to pull data. * Create API keys or service users for long-lived access (audit logs permitting). *** ### Hardening & Defender Checklist 1. **Network controls** * Block access to `5601/tcp` from public/untrusted networks. Use VPNs or management subnets for admin access. 2. **Enable authentication & TLS** * Enable Elasticsearch security features (TLS + basic auth or SSO). Do not run ES without security in production. 3. **Least privilege** * Ensure `kibana_system` is used only for Kibana, and admin users are limited. 4. **Keep versions patched** * Upgrade to latest minor/major fixes; monitor Elastic advisories for RCE or privilege escalation CVEs. 5. **Audit & monitor** * Enable audit logging and alert on new API keys, user creation, or unusual index export patterns. 6. **Config hygiene** * Remove hardcoded credentials from `kibana.yml` or vault them. Avoid running Kibana on `0.0.0.0` if unnecessary. Quick commands to enable basic safety: ```bash # Example: restrict bind address (kibana.yml) server.host: "127.0.0.1" # Or firewall rule ufw deny from any to any port 5601 proto tcp ``` *** ### Detection Ideas * IDS/IPS: alert on connections to port 5601 from unusual sources. * SIEM: flag high-volume `_search` requests or API key creation events. * Network: block mgt plane access to Elasticsearch/Kibana from the internet. *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/kibana-port-5601.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.