InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Network scan and basic recon
  • HTTP interface
  • Authentication brute force
  • Misconfigurations and known vulnerabilities
  • Database access
  • NoSQL injection
  • Compromised system to database access
  1. L7

27017 / 27018 - MongoDB

Overview

MongoDB is a cross-platform document-oriented database program developed by MongoDB Inc and initialy released February 11, 2009.

Classified as a NoSQL database program, MongoDB uses JSON-like documents with schemata.

Network scan and basic recon

nmap can be used to scan the network for exposed MongoDB database services.

nmap includes the following default NSE scripts, triggered by usning -sC:

  • mongodb-info, which will attempts to get build info and server status (sysinfo, MongoDB version, current and max connections, etc.)

  • mongodb-databases, which will attempts to get a list of databases by using the listDatabases() function (by default, through an unauthenticated access).

nmap -v -sV -sC -oA nmap_MongoDB -p 27017,27018 <HOST | RANGE | CIDR>

HTTP interface

MongoDB provides a monitoring and administration HTTP interface. mongod versions greater than 2.6 run by default with the http interface disabled and the --rest option must be specified whenever starting the service.

The port used for the HTTP interface is 1000 more than the configured mongod port thus being 28017 for a default installation.

An exposed HTTP interface could be leveraged to leak information about the MongoDB components and databases.

Authentication brute force

Starting from MongoDB version 3.0, MongoDB uses a challenge and response mechanism: SCRAM-SHA-1. SCRAM-SHA-1 verifies supplied user credentials against the user’s name, password and database. The user’s database is the database where the user was created, and the user’s database and the user’s name together serves to identify the user.

Brute forcing MongoDB service is thus quite diffuclt as, in addition to the username and password, a correct database name has to be provided.

The nmap NSE script mongodb-brute and the Metasploit module auxiliary/scanner/mongodb/mongodb_login can be used to brute force credentials on the service:

# Include an empty line in the passwords wordlist to test for empty password
nmap -v -sV --script mongodb-brute --script-args "userdb=<USERNAMES_FILE>,passdb=<PASSWORDS_FILE>" -p 27017,27018 <HOST | RANGE | CIDR>

msf > use auxiliary/scanner/mongodb/mongodb_login

Misconfigurations and known vulnerabilities

The mongoaudit python script can be used to detect misconfigurations and known vulnerabilities.

As of December 2018, the following tests are conducted:

  • MongoDB listens on a port different to default one

  • Server only accepts connections from whitelisted hosts / networks

  • MongoDB HTTP status interface is not accessible on port 28017 (See "HTTP interface" above)

  • MongoDB is not exposing its version number

  • MongoDB version is newer than 2.4

  • TLS/SSL encryption is enabled

  • Authentication is enabled

  • SCRAM-SHA-1 authentication method is enabled

  • Server-side Javascript is forbidden *

  • Roles granted to the user only permit CRUD operations *

  • The user has permissions over a single database *

  • Security bug CVE-2015-7882

  • Security bug CVE-2015-2705

  • Security bug CVE-2014-8964

  • Security bug CVE-2015-1609

  • Security bug CVE-2014-3971

  • Security bug CVE-2014-2917

  • Security bug CVE-2013-4650

  • Security bug CVE-2013-3969

  • Security bug CVE-2012-6619

  • Security bug CVE-2013-1892

  • Security bug CVE-2013-2132

Once started from the command line, mongoaudit makes use of a terminal graphical interface that can be used to start and follow the testing process.

Database access

The mongo CLI shell is an interactive JavaScript interface that can be used to query and update data as well as perform administrative operations on MongoDB databases.

# Specifying --password without the user’s password, will make the shell prompt for the password
mongo --username <USERNAME> --password --authenticationDatabase <DATABASE> --host <HOST> --port <PORT>

mongo mongodb://<USERNAME>:<PASSWORD>@<HOST>:<PORT>/<DATABASE>?authSource=<AUTH_DATABASE>

The supported mongo shell commands are:

  • db display the current database

  • show dbs, equivalent to db.adminCommand( { listDatabases: 1 } ), list the available databases, results conditionned by the authentication enforced and the current user access rights

  • use <DATABSE> switch to the specified database

  • db.getCollectionNames()

  • db.getCollection("<COLLECTION_NAME").find({}).limit(50)

For more information about the MongoDB operations syntax, refer to the official documentation: https://docs.mongodb.com/manual/crud/.

Multiple GUI tools can be used to access a MongoDB database with out the need to know the mongo NoSQL syntax. The Studio 3T (previously known as MongoChef) provides a complete and an intuitive user-friendly graphical interface through a standalone executable.

NoSQL injection

Applications using MongoDB could be vulnerable to NoSQL injections.

Note that since MongoDB version 2.4 (released in March 2013), the exploit possibilities through a NoSQL injection are limited.

For a detailed methodology to conduct NoSQL injection against MongoDB, refer to the [WebApps] NoSQL injections - MongoDB note.

Compromised system to database access

If an access to the underlying operating system hosting the MongoDB service could be obtained, it is possible to modify the MongoDB configuration to access the database with out knowledge of the database users.

To add a superuser to the database:

  • Stop the MongoDB service sudo service mongod stop

  • Edit the MongoDB configuration file mongodb.conf

Previous11211 - memcachedNextShellcode and PE loader

Last updated 3 years ago