27017,27018 - Pentesting MongoDB

Previous15672 - Pentesting RabbitMQ Management Next44818/UDP/TCP - Pentesting EthernetIP

Last updated 3 years ago

Was this helpful?

27017,27018 - Pentesting MongoDB

Basic Information

MongoDB is an database management system (DBMS) that uses a document-oriented database model which supports various forms of data. (From )

Default port: 27017, 27018

PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 2.6.9 2.6.9

Enumeration

Manual

from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
    print(db)
    print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

Some MongoDB commnads:

show dbs
use <db>
show collections
db.<collection>.find()  #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"})  #Find in current db the username admin

Automatic

nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used

Shodan

All mongodb: "mongodb server information"
Search for full open mongodb servers: "mongodb server information" -"partially enabled"
Only partially enable auth: "mongodb server information" "partially enabled"

By default mongo does not require password. Admin is a common mongo database.

mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

The nmap script: mongodb-brute will check if creds are needed.

nmap -n -sV --script mongodb-brute -p 27017 <ip>

Look inside /opt/bitnami/mongodb/mongodb.conf to know if credentials are needed:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

Mongo Objectid Predict

Mongo Object IDs are 12-byte hexadecimal strings:

For example, here’s how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019

5f2459ac: 1596217772 in decimal = Friday, 31 July 2020 17:49:32
9fa6dc: Machine Identifier
2500: Process ID
314019: An incremental counter

Of the above elements, machine identifier will remain the same for as long as the database is running the same physical/virtual machine. Process ID will only change if the MongoDB process is restarted. Timestamp will be updated every second. The only challenge in guessing Object IDs by simply incrementing the counter and timestamp values, is the fact that Mongo DB generates Object IDs and assigns Object IDs at a system level.

Post

If you are root you can modify the mongodb.conf file so no credentials are needed (noauth = true) and login without credentials.

Previous15672 - Pentesting RabbitMQ Management Next44818/UDP/TCP - Pentesting EthernetIP

Last updated 3 years ago

Was this helpful?

Basic Information

MongoDB is an database management system (DBMS) that uses a document-oriented database model which supports various forms of data. (From )

Default port: 27017, 27018

PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 2.6.9 2.6.9

Enumeration

Manual

from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
    print(db)
    print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

Some MongoDB commnads:

show dbs
use <db>
show collections
db.<collection>.find()  #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"})  #Find in current db the username admin

Automatic

nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used

Shodan

All mongodb: "mongodb server information"
Search for full open mongodb servers: "mongodb server information" -"partially enabled"
Only partially enable auth: "mongodb server information" "partially enabled"

By default mongo does not require password. Admin is a common mongo database.

mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

The nmap script: mongodb-brute will check if creds are needed.

nmap -n -sV --script mongodb-brute -p 27017 <ip>

****

Look inside /opt/bitnami/mongodb/mongodb.conf to know if credentials are needed:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

Mongo Objectid Predict

Mongo Object IDs are 12-byte hexadecimal strings:

For example, here’s how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019

5f2459ac: 1596217772 in decimal = Friday, 31 July 2020 17:49:32
9fa6dc: Machine Identifier
2500: Process ID
314019: An incremental counter

The tool , given a starting Object ID (you can create an account and get a starting ID), it sends back about 1000 probable Object IDs that could have possibly been assigned to the next objects, so you just need to bruteforce them.

Post

If you are root you can modify the mongodb.conf file so no credentials are needed (noauth = true) and login without credentials.

Basic Information

Enumeration

Manual

Automatic

Shodan

Login

Mongo Objectid Predict

Post

Basic Information

Enumeration

Manual

Automatic

Shodan

Login

****

Mongo Objectid Predict

Post

****