Posts Tagged ‘Shodan’

Open Elasticsearch nodes on Shodan

Posted: 06/01/2018 in Uncategorized
Tags: , , , ,

Administrators like to use Elasticsearch (What is Elasticsearch?) as a real-time data search and analysis tool. However lots of administrators forget to secure these nodes.

With a simple search on shodan, we can find the Elastic indices :

https://www.shodan.io/search?query=port:”9200″ product:”Elastic”

Confidential information can be accessed through these addresses, below is the syntax to use:

http://IP:9200/_search?pretty

Here are some basic recommendations for securing your nodes :

  • Only allow direct access to known IP addresses (Source to destination)
  • Add Authentication to Elastic Node (2FA all the way)

PoC

  1. Use this filter on shodan to search elastic node : port:”9200″ product:”Elastic”
  2. Check Elastic connection : http://IP:9200
  3. Executing Search : http://IP:9200/_search?pretty

This Node disclose some confidential information, we can use it to access to all accounts

Now we can use this information to access the Elastic backend

After contact the company has now secured their node.

For help security Elasticsearch watch the video on link below:

https://www.elastic.co/elasticon/conf/2016/sf/securing-elasticsearch

Also see Amazon Elasticsearch Service (Amazon ES) Developer Guide

Advertisements