README.md

MongoDB enumeration and exploitation

• Initial enumeration
• Connecting to a MongoDB database
• Enumerating a database

Initial enumeration

nmap -vv -p 27017,27018 -sT --script=+mongodb* <ip>

Connecting to a MongoDB database

• Using mongo CLI:

mongo "mongodb://<username>@<ip>:27017/<database>" -p '<password>'

Enumerating a database

• Get configuration:

db.adminCommand({getParameter:"*"})

• Get current user and roles:

db.runCommand({connectionStatus : 1})

• Get users:

db.getUsers()
db.getUser("<username>")

• Get password hashes:

wget https://raw.githubusercontent.com/philsmd/mongodb2hashcat/main/mongodb2hashcat.js
mongo "mongodb://<username>@<ip>:27017/<database>" -p '<password>' --quiet mongodb2hashcat.js # Use 24100 and 24200 hashcat modes to crack them

• Show databases:

show dbs

• Show current dabase:

db

• Change database:

use <database>

• Show collections:

show collections

• Show data:

db.<collection>.find()
db.<collection>.find().pretty()