Unauthenticated Mongo DB

MongoDB by default does not enforce authentication. In many situations, this may allow anyone on the network to access all data within the database.

PENTESTING MONGODB

The commands needed to verify connectivity are fairly straightforward. The mongo client (and server) can be installed with the apt package mongodb.

The following commands can be used to explore and read data from an unauthenticated MongoDB server:

  • Connect to the server: mongo 10.0.0.5:27017

  • List databases: show dbs

  • Use database: use <database>

  • List collections: show collections

  • Search contents: db.<collection>.find()

Below shows an example:

> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB
> use config
switched to db config
> show collections
system.sessions
> db.system.sessions.find()
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB
> use admin
switched to db admin
> show collections
system.version
> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.6" }

CONFIGURING AUTHENTICATION

To secure a MongoDB server we’ll need to set a username and password. Once a user is created, the database needs to be shut down, and restarted with access control enabled.

1. CREATING AN ADMIN USER

The following will create a basic admin user:

You should then see a response as follows:

MongoDB Create User

2. ENABLE ACCESS CONTROL

In this example we are using ubuntu, so we will edit the /etc/mongodb.conf. We will find the following section:

We will then uncomment auth = true.

3. RESTART MONGODB

On Ubuntu we can restart the service with the following command:

We can then verify that access controls are enforced by reconnecting without credentials and running a query:

REFERENCES

https://docs.mongodb.com/manual/tutorial/enable-authentication/

PreviousLog a terminal sessionNextMicrosoft SQL Server (MSSQL)

Last updated

Was this helpful?