DevOoops: Elasticsearch

Notes from the Devoops talk on Elastic Search

Elasticsearch Provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents.

*GET request to port 9200 will show version

“version” : {
“number” : “1.2.4”

No Authentication (initially)

Can search stored data via HTTP API

Update data with PUT request

Join an open cluster and receive all data

RCE prior to 1.2.0 (CVE-2014-3120)
RCE prior to 1.5.0* (CVE-2015-1427)

exploit/multi/elasticsearch/script_mvel_rce

Kibana
Searching via curl/browser is cumbersome…Kibana FTW
Edit config.js to point to open Elasticsearch
Open index.html in local browser or host on a server

Viewing the content of the document
Import your own data and visualize
Elasticsearch solutions:
Apply authentication if possible
Segment elasticsearch from Corp (and the public in general)
Be aware of the data you put in elasticsearch
–>anyone can search it
Logs Logs Logs
osquery

This is a Security Bloggers Network syndicated blog post authored by CG. Read the original post at: Carnal0wnage & Attack Research Blog