elasticpwn: how to collect and analyse data from exposed Elasticsearch and Kibana instances

Your Elasticsearch and Kibana instances are open, and that’s a real problem

elasticpwn: a brief overview

  1. Install the tool
go install github.com/9oelM/elasticpwn/elasticpwn@latest
elasticSearch AND country:"US" AND product:"Elasticsearch REST API"
elasticsearch 200 -"adminer_sid" -"MiniUPnPd"
123.123.123.123:80
124.124.124.124:443
.. and so on.
curl https://raw.githubusercontent.com/9oelM/elasticpwn/main/docker-compose-mongo-only.yml -o docker-compose-mongo-only.yml && docker-compose -f docker-compose-mongo-only.yml up -d
elasticpwn elasticsearch -f list_of_elasticsearch_instances.txt -murl mongodb://root:example@172.17.0.1:27017/ -of mongo -t 12
elasticpwn report generate -cn elasticsearch -murl mongodb://root:example@172.17.0.1:27017/
elasticpwn report view -d ./path-to-report -p 9999

elasticpwn: persisting your research

  1. Generate the report with -dn option:
# -dn should be the url where elasticpwn-backend will be hosted 
elasticpwn report generate -cn elasticsearch -murl mongodb://root:example@172.17.0.1:27017/ -dn http://localhost:9292
go install github.com/9oelM/elasticpwn/report/elasticpwn-backend@latest
elasticpwn-backend -mongodbUri=mongodb+srv://username:pw@somewhere.mongodb.net/default-collection-name?retryWrites=true&w=majority -databaseCollectionName=elasticsearch_reviewed_urls -databaseName elasticpwn -port 9292

2021/12/28 05:38:54 Connected to database
2021/12/28 05:38:54 Inserting
2021/12/28 05:38:54 Test url already created before
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /ping --> main.PingHandler (4 handlers)
[GIN-debug] GET /urls --> main.GetUrlsHandlerGenerator.func1 (4 handlers)
[GIN-debug] POST /urls --> main.PostUrlsHandlerGenerator.func1 (4 handlers)
[GIN-debug] DELETE /urls --> main.DeleteUrlsHandlerGenerator.func1 (4 handlers)
[GIN-debug] Listening and serving HTTP on 0.0.0.0:9292
elasticpwn report view -d ./path-to-report -p 9999

Securing your Elastic stack

  • set xpack.security.enabled as true if you are running an old version of the Elastic stack. One really good news is that this is going to be true by default in the newest versions. This will help protect lots of instances from being exposed to the world:
  • set password: bin/elasticsearch-setup-passwords interactive
  • use WWW-Authenticate header to restrict access
  • put the instances inside the private network and use VPN
  • and so much more…

Conclusion

  • the problem of data exposure from numerous Elasticsearch and Kibana instances
  • how elasticpwn helps detect and analyse the exposed data
  • simple ways to secure the Elastic stack

--

--

High quality article or death. Code/Security stuffs, mostly related to React, Typescript, and Node, GoLang, Wasm. https://9oelm.github.io.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Mun

High quality article or death. Code/Security stuffs, mostly related to React, Typescript, and Node, GoLang, Wasm. https://9oelm.github.io.