Network Penetration Testing

Unauthenticated MongoDB – Attack and Defense

our services

MongoDB by default does not enforce authentication. In many situations, this may allow anyone on the network to access all data within the database.

Pentesting MongoDB

The commands needed to verify connectivity are fairly straightforward. The mongo client (and server) can be installed with the apt package mongodb.

The following commands can be used to explore and read data from an unauthenticated MongoDB server:

  • Connect to the server: mongo
  • List databases: show dbs
  • Use database: use <database>
  • List collections: show collections
  • Search contents: db.<collection>.find()

Below shows an example:

> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB
> use config
switched to db config
> show collections
> db.system.sessions.find()
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB
> use admin
switched to db admin
> show collections
> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.6" }

Configuring Authentication

To secure a MongoDB server we’ll need to set a username and password. Once a user is created, the database needs to be shut down, and restarted with access control enabled.

1. Creating an Admin User

The following will create a basic admin user:

use admin
    user: "myUserAdmin",
    pwd: "p@ssw0rd",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]

You should then see a response as follows:

MongoDB Create User

2. Enable Access Control

In this example we are using ubuntu, so we will edit the /etc/mongodb.conf. We will find the following section:

# Turn on/off security.  Off is currently the default
#noauth = true
#auth = true

We will then uncomment auth = true.

3. Restart MongoDB

On Ubuntu we can restart the service with the following command:

sudo systemctl restart mongodb

We can then verify that access controls are enforced by reconnecting without credentials and running a query:

$ mongo
MongoDB shell version v3.6.3
connecting to: mongodb://
MongoDB server version: 3.6.3
> show dbs
2021-09-08T02:09:59.898-0700 E QUERY    [thread1] Error: listDatabases failed:{
    "ok" : 0,
    "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, $db: \"admin\" }",
    "code" : 13,
    "codeName" : "Unauthorized"
} :


  • Application
  • Network
  • Mobile
  • AWS