MongoDB
aka mongod
NoSQL database on 27017, infamous for shipping with no authentication. An open instance hands over every collection, often including application credentials.
Ports
| Port | Proto | Notes |
|---|---|---|
27017 | tcp | MongoDB wire protocol |
Fingerprint
- mongosh connects without credentials when unauthenticated
- nmap mongodb-info
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/mongod.conf | bind IP and whether authorization is enabled |
Default / weak creds
none by default (authorization disabled)
Service users
mongodb
Exploitation primitives
- Unauthenticated: list and dump all databases and collections
- Loot user/credential collections for passwords reused elsewhere
- NoSQL injection in front-end apps (authentication bypass with operators like $ne)
Overview
MongoDB on 27017 is a quick win when authorization is off (a common default). You simply connect and read everything, and application databases routinely hold credentials.
Enumeration
Nmap scripts (leak version and database list pre-auth):
nmap --script mongodb-databases,mongodb-info -p27017 <TARGET>Connect unauthenticated:
mongosh "mongodb://<TARGET>:27017"Connect authenticated:
mongosh "mongodb://user:pass@<TARGET>:27017/dbname"Check auth status and your effective permissions:
db.runCommand({connectionStatus: 1})List databases:
show dbsList collections in a database:
use <db>; show collectionsDump a collection (pretty):
db.users.find().pretty()List all users on the current database:
db.getUsers()Dump the whole instance offline (unauthenticated):
mongodump --host <TARGET> --port 27017 --out loot/Dump authenticated:
mongodump --uri "mongodb://user:pass@<TARGET>:27017" --out loot/Check for Mongo Express web UI (often unauthenticated, port 8081):
curl -s http://<TARGET>:8081Hardening
Enable authorization, bind to localhost, and create role-scoped users.