Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making Mongo Cry: NoSQL for Penetration Testers

Published byBruce Neagle Modified over 9 years ago

Similar presentations

Presentation on theme: "Making Mongo Cry: NoSQL for Penetration Testers"— Presentation transcript:

1 Making Mongo Cry: NoSQL for Penetration Testers
Russell Butturini @tcstoolhax0r

2 DISCLAIMER This presentation contains jokes from the movie Blazing Saddles. The presenter takes no responsibility if you haven’t seen one of the greatest films ever made and find none of his jokes funny.

3 Let’s talk about Mongo…But not this Mongo…

4 THIS Mongo

5 However they’re kind of the same…
Big Powerful Blindly trust input Do anything they’re told Don’t understand encryption

6 Frequent releases with lots of big changes
49% of LinkedIn member profiles mentioning NoSQL technologies reference MongoDB1. Frequent releases with lots of big changes “Generally, changes in the release series (e.g. 2.2 to 2.4) mark the introduction of new features that may break backwards compatibility” 2. 10Gen is oblivious to security issues: “…We were on with…the MongoDB guys talking about the security of the platform, and…it was really clear that they just didn’t care, because their customers weren’t asking for it.” -Rich Mogull, Security Weekly episode 3453. 1- 2- 3-

7 NoSQL Primer-Structure
Traditional SQL Mongo NoSQL Databases Databases Tables Collections Columns/Types Documents NoSQL-Logical organizational units, no restrictions Rows/Records Key-Value pairs

8 NoSQL Primer-Data Traditional SQL: Mongo NoSQL: {“firstname” : “John”, “lastname” : “Doe”, “widgets” : 5} or {“firstname” : “John”, “lastname” : “Doe”, “widgets” : “five”} {“firstname” : “John”, “lastname”, : “Doe”, “widgets” : 5, “foo” : “bar”} firstName (char) lastName (varchar) widgets (int) John Doe 5 Mongo-Dynamic! If schema doesn’t exist, it will make it for you. If data is not the right format, the insert happens anyways. Mongo stores documents in JSON and represents them in BSON to add additional data types and add efficiencies in encoding/decoding across platforms.

9 NoSQL Primer-Queries Traditional SQL: SELECT FROM users WHERE username = “joe”; Mongo NoSQL: db.users.find({“username” : “joe”}, {“ ” : 1}) Mongo-Dynamic! If schema doesn’t exist, it will make it for you. If data is not the right format, the insert happens anyways. Mongo stores documents in JSON and represents them in BSON to add additional data types and add efficiencies in encoding/decoding across platforms.

10 The Good Built for performance Highly scalable Dynamic and flexible

11 The Bad No standards between NoSQL platforms (you have to choose the right DB for the right job) Security is weak and inconsistently applied

12 The Disturbing No authentication required by default
Weak or plaintext password storage Cleartext network communication from client to server No data encryption “Use this only in trusted environments” (yeah right) Reliance on the clients/drivers for security/functionality

13 NoSQL=No Auth (at least by default)
Shodan: 33,575 Mongo default management ports exposed to the Internet (Feb 2014, Project Un1c0rn has more!) How many have the default of no authentication on?

14 (Most of the others were offline, not authenticated)
And… Total: 33,575 servers Unauthenticated: 18,979 (56.5%) (Most of the others were offline, not authenticated) RTFM: “The most effective way to reduce risk for MongoDB deployments is to run your entire MongoDB deployment, including all MongoDB components (i.e. mongod, mongos and application instances) in a trusted environment.”

15 At least 18,979 people believe the Internet is a trusted environment.
Conclusion At least 18,979 people believe the Internet is a trusted environment.

16 Pen Testing Fun /etc/mongod.conf-DB config
The best part: Disable ALL authentication (except for the web interface for some reason) by commenting out auth=true and kicking the service Run() acts as a shell (from wherever you launch the Mongo client from) Entering a command with no parameters shows the Javascript being executed in the shell system.users-Usernames and weak password hashes System.indexes-Key fields for speedy searching (probably important stuff) TCP Web management interface on by default (before 2.6) An optional REST API when enabled allows for querying databases through the web management

17 NoSQL = No Encryption Server/Client communications (including authentication) occur in PLAIN TEXT Passwords encrypted with MD5, but only use nonce over the wire (not at rest). Data encryption? You’re on your own. (More on this to come…)

18 NoSQL = No SQL Injection (not)
Changing syntax != no vulnerabilities Traditional SQL Injection: ‘ OR 1=1 -- MongoDB $where query injection( <=2.2): a‘; return db.ddlkad.find(); var dummy=‘a MongoDB $where query injection(<=2.4): a‘; return this.adfjda != djakflkdkl; var dummy=‘a or a‘; return 1=1; var dummy=‘a a’; return true; var dummy = ‘a Mention SpiderMonkey to V8 JavaScript interpreter change.

19 Client Issues PHP-What you Supply: What PHP Sees: What MongoDB Sees:
What PHP Sees: {“$ne”=>”something”} What MongoDB Sees: “Give me everything back that is not equal to ‘something’” Mention SpiderMonkey to V8 JavaScript interpreter change.

20 Credit where Credit is Due
On 4/8/2014, MongoDB 2.6 was released: New authentication methods including certificates and external authentication sources. Web interface is disabled by default. Granular role based access control. Auditing of schema, replica sets, authentication/authorization, general operations. Encryption in transit over SSL. Encryption at rest provided by Gazzang at the database and field levels. Mention SpiderMonkey to V8 JavaScript interpreter change.

21 But… Still no authentication by default.
The default distribution of MongoDB 2.6 does NOT contain support for SSL (recompile the whole thing locally or buy the enterprise version for 7,500 bucks). Gazzang encryption at rest isn’t free either. Password hashing is still using the same weak algorithm as previous versions. Mention SpiderMonkey to V8 JavaScript interpreter change.

22 NoSQLMap Project home page: www.nosqlmap.net
Automate all this stuff we just talked about and more. Always looking for more help!!!

23 Final Thoughts NoSQL databases can be a great tool, but you have to understand what you get. Devs can (and will) make the same mistakes they’ve been making for years. The default settings will get left on. Good application layer security is key since the database platform doesn’t provide any.

24 Questions? NoSQLMap home page: Project mailbox:

Download ppt "Making Mongo Cry: NoSQL for Penetration Testers"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.

DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.
Radius based ssh authentication Location of Radius server – radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key WinRadius – The same config.

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
Filtering and Security By Mohammad Shanehsaz June 2004.

Filtering and Security By Mohammad Shanehsaz June 2004.
Client Connectivity Pertemuan 5 Matakuliah: T0413 Tahun: 2009.

Client Connectivity Pertemuan 5 Matakuliah: T0413 Tahun: 2009.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.

Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Similar presentations

Ads by Google