Mass MongoDB Scanning

- 3 mins read

Series: Hacking MongoDB

What is Mongosmash

MongoSmash is a Python tool designed to scan a list of IP addresses, attempt to authenticate with MongoDB instances, and recursively download their databases if access is granted without authentication.

Features

  • IP Address Scanning: Efficiently scans a list of provided IP addresses.
  • MongoDB Authentication Attempts: Tries to authenticate with each IP address.
  • Recursive Database Download: Downloads databases recursively upon successful authentication.
  • Logging: Detailed logging with Rich for better readability.
  • Multithreading: Uses multiple threads to speed up the scanning process.

Installation 🤖

  1. Clone the Repository:

    git clone https://github.com/kathuluman/mongosmash.git
cd mongosmash

  2. Install Dependencies:

    pip install -r requirements.txt

Scanning For MongoDB Servers 🥭

The msot effective way to use mongosmash is to scan the internet for mongodb servers to feed into mongosmash, now internet scanning is not illegal although what you do with your scans is what can depict on what you are doing be illegal or not USE THIS ETHICALLY!.

Port scan with masscan

There are a few ways to scan the internet with masscan you can either scan under specific subnets or you can scan the ENTIRE INTERNET. Now as for internet scanning of any sort primarly the entire internet never do it from your home network because your ISP will catch all of your packets and shut you down as fast as you start and possibly get into leagl issues. I reccomend to scan from a VPS make sure to check your VPS provider on what their policy is for internet scanning, usually its a no because when companies catch your packets when you scan them they can take the IP address of the VPS and send a formal report to your provider which can lead their IP address range to be blacklisted or seen as malicious.

Scanning the entire internet for mongodb

Using the method below will scan the entire internet with the max rate of 100000 which will use quite a bit of bandwith and send a LOT OF PACKETS this will give you results the fastest although I reccomend to lower the --max-rate to 2000 or really anything below 100000.

masscan 0.0.0.0/0 --exclude 255.255.255.255 -p 27017 --max-rate 100000 > 0.0.0.0-masscan.lst

Using your IP list with mongosmash

Now that you have your list of IP addresses in 0.0.0.0-masscan.lst you can now use mongosmash to mass authenticate with them to locate unauthenticated mongodb servers, this can be really useful if you are in a pentest engagement, you could use the IP range of your target.

Here is an example of scanning with your target subnet range.

masscan 172.15.14.0/0 --exclude 255.255.255.255 -p 27017 --max-rate 100000 > 172.15.14.0-masscan.lst

After you scan something it is going to look like this Discovered open port 27017/tcp on 172.15.14.15. We need a list of just IP addresses and we can parse the IP addresses by using the sed command on linux.

sed -i 's@Discovered open port 27017/tcp on @@g' 172.15.14.0-masscan.lst

This will now give you a list of just IP addresses now we need to parse out all of the spaces that are in the file we can do that with sed once more.

sed -i 's/ //g' 172.15.14.0-masscan.lst

Now it really is just IP addresses. From here we can now just mongosmash by doing the following.

python3 mongosmash.py -i 172.15.14.0-masscan.lst --threads=25

Mitigation Strategies

To defend against threat actors accessing your mongodb servers make sure you have propper authentication enabled as well as setup either a whitelist for authorized IP addresses or make your database only accessable through a private VPN.

Conclusion

Secure your mongodb servers and make sure to ONLY hack ethically and responsibly!

This is a post in the Hacking MongoDB series.
Other posts in this series:

  • December 26, 2024 - Mass MongoDB Scanning