In this article we will scan the internet for open MongoDB instances/services (MongoDB service which does not require authentication) and connect to them, after that we own the Database. Now, you might be thinking who would be so dumb to leave their Database connection unauthenticated? guess what, there are many. These open databases are connected to the internet and can be easily PWNED by hackers with a few simple steps.
Usually DBMS are hosted on a specific port by default which is publicly known and when a hacker scans a subnet i.e. the Internet, he gets a list of IPs which have that specific port open, after that all he has to do is bruteforce the credentials or exploit a 0day to get in. Let’s hunt some open MongoDB services, shall we?
Before we begin, There’s a tool out there (I’m the dev >.<) called MongoPWN which can automate this entire process, first I’ll show you the steps to do this manually and then we’ll look at MongoPWN.
1. Scanning for MongoDB services using Masscan/Shodan
By default all MongoDB services are hosted on the port 27017, so all we gotta do is scan for that port using masscan or shodan and we’ll have a list of ips at out disposal, although masscan can be a bit time consuming and might not return accurate results, while on the other hand shodan will only give you 100 IPs unless you have a premium account (we’ll talk more about this below).
A) Masscan
If you’re using a pen-testing OS like Kali, Parrot sec, etc… Cool, they have masscan installed by default, if not you might have to follow the installation instructions listed in the official repository of masscan.
masscan 0.0.0.0/0 -p27017 --exclude 255.255.255.255 --rate 100000000 --open-only | awk '{print $6}' > masscan.txtrunning this command will scan the internet for services running on port 27017 (MongoDB services) and redirect the output (IPs) to masscan.txt in the current working directory. This can take some time, so go play some minecraft till its done (no, don’t actually do that)
B) Shodan
To scan the port 27017 or MongoDB service we need a shodan API key, which can be obtained by creating an account, so go ahead and create one. Once you’ve created your account get the API key from here and install the shodan CLI.
sudo apt install shodanNow initialize your key by typing
shodan init <key here>If you have a free account, you cannot use search filters and it provides you with only 100 IPs .To get a premium account, we don’t actually need the account we just need the premium API key in our case, I heard there are plenty of fools who leak their API keys on platforms like github, pastebin, etc… If you know what I mean ;)
Use the command below if you have a non-premium key, this will download 100 IPs and save it in compressed JSON format
shodan download mongo.json.gz product:MongoDBIf you have a premium key, you can use the command below and get 10,000 IPs (you can increase the limit if you want to)
shodan download --limit 10000 mongo.json.gz product:MongoDBNow we gotta take out the IP address from the other information in the JSON file and redirect the output to a text file, to do so use the command:
shodan parse --fields ip_str mongo.json.gz > mongo.txtThat’s it for the Scanning part, now we need to connect to each of these IPs and check if they require any authentication and the ones which don’t can either be saved to another text file or just do whatever you want with em.
2. Checking for Authentication
For this part we need to do some coding and automate the process of checking the IPs, unless we wanna check every IP manually (trust me that’s a bad Idea), anyway I’ll be using python and pymongo for this you can other language and library for this, you can download the script from here
The above script will read the IPs from mongo.txt (if you’ve saved the IPs in a different file make sure you change the file name in line 5) and scan each one and output the open ones to open_mongo.txt.
Now, you can use a GUI client such as MongoDB Compass or any other client to connect to these databases, or you could also make a simple script if you wanna perform the same action on each one.
Using MongoPWN
First off, clone the repository from github and move into it
git clone https://github.com/Assassinumz/mongoPWN.git && cd mongoPWNRun the script with the -h flag to see the available options (masscan feature is yet to be added) Let’s use shodan for now and output the results to a file
python main.py -s <API_key> -o output_file.txt You can also scan a text file with IPs (provided that they’re in different lines) I’ve provided a list of 1000 IPs in the repository ;). To scan a text file and output the result to a file use the command below
python main.py -i input_file.txt -o output_file.txtThat’s it for this article hope you like it stay tuned for more, If you’ve got any questions hit me up on discord, I’ll try my best to clear your doubts.
