As always, PRs are welcome.
Please bear this spirit in mind when thinking of a fix/new feature proposal/etc: this tool is intended for a user who wants to analyse large OSINT data via semi-automated means. This is the very reason why, unlike other tools, it is designed to request detailed information as much as possible (for example, requesting POST index_name/_search for each index). Therefore, please help craft this tool that way when contributing.
/elasticpwn contains separate folders:
/lookup-addrs: provides utilities for getting info about an URL. This package can be built as a standalone module as well./util: contains shared, commonly used tools across packages/plugins: this is where all plugins reside in. Any new plugins should be built in this folder too. Plugins will be exported and be used in/elasticpwn. Plugins should be abstracted well and should only expose as few public methods as possible.
- If you don't know already, elasticsearch is a tool for collecting, analazying and viewing large data, and kibana is the frontend of it.
- Sometimes, an IP would have an elasticsearch but kibana port open. In other occassions, it could be reverse. Otherwise, it could have both open. This is the reason that both plugins are needed.
- Kibana's got dev tools page, and it allows user to send a request to elasticsearch via proxy. So we are using that proxy API.
- Elasticsearch is more straightforward; it has official API documentation. There is an official Golang client for elasticsearch, but it's not used here because all we need to do for this tool is to query very few API endpoints and it takes not too much effort to do that.
- Elasticsearch can have many useless indices. These are listed in
elastic-util.goand automatically filtered out when querying indices.
This is my first project using GoLang. It's very possible that I've made stupid mistakes. Please help fix them.
$ git clone https://github.com/9oelM/elasticpwn.git
$ cd elasticpwn
$ go version # at least 1.17
go version go1.17.2 linux/amd64
$ go mod tidy
# alternatively, you can use any other tools that can gather data about it. For example, Google dork.
$ shodan download --limit 300 elasticsearch-sample elasticsearch # you may need to add more keywords to easily find 'open' elasticsearch instances
$ shodan parse --fields ip_str,port --separator : elasticsearch-sample.gz > elasticsearch-sample.txt
$ go build -v
# input file must be a list of URLs pointing to a elasticsearch|kibana instances. For example:
# 123.123.123.123:9200
# 4.5.6.7:9200
# and so on.
$ ./elasticpwn elasticsearch -f elasticsearch-sample.txt -t 12 -of elasticsearch-sample.json -om json
# or use mongodb to store result
$ ./elasticpwn elasticsearch -f elasticsearch-sample.txt -murl mongodb://root:[email protected]:27017/ -t 12 -om mongo
Sometimes you may wanna dive into docker container to inspect mongo directly. You may want to use these commands below in that case.
docker container ls # find which container is responsible for mongodb
docker exec -it [container-id] /bin/bash # enter docker container shell
mongo -host "mongodb://root:example@mongo:27017/" -u root -p example # login to console
Alternatively, you could use a tool like DataGrip to query from a separate program.
Visual Studio Code is highly recommended. Note that gopls does not support multi-package environment without any config. Please open a workspace on VSCode and add respective package folder (lookup-addrs, main, plugins, ...) to the workspace. Therefore, find elasticpwn/elasticpwn.code-workspace file in this repository, and then open that workspace on Visual Studio Code to avoid any weird errors:
