Big Data MongoDB Penetration Testing – Since we all know Big Data is in huge demand nowadays and MongoDB is quite a famous NoSQL database. With the growing use of NoSQL databases, security should be considered seriously. Just like any other system, the security of NoSQL DB is not a single-handed job. Everyone in the ecosystem is responsible for it. Even though it comes with some inbuilt security features, it is possible to have vulnerabilities in the production due to various reasons such as misconfiguration, no updates, poor programming etc. So friends, we will learn Penetration testing of Big Data NoSQL database with the help of series of tutorials.
You also might be interested in reading why Penetration testing is so important for security.
Below is brief points which we will cover during our Penetration testing series of MongoDB :
- Penetration testing Tutorial 1 – Installation of Mongo DB in Ubuntu
- Penetration Testing Tutorial 1b – Connecting Mongo DB Client
- Penetration testing Tutorial 2 – Introduction of Mongo Shell and basic functions like creating a database, checking database, Inserting or deleting from database etc.
- Penetration testing Tutorial 3 – Setting up Penetration testing Lab
- Penetration testing Tutorial 4 – How to Scan for Open ports and enumerate running services
- Penetration testing Tutorial 5 – How to Scan and Access HTTP Interface
- Penetration testing Tutorial 6 – Using NMAP NSE scripts for Scanning – Semi Automated
- Penetration testing Tutorial 7 – How to Brute Force on Mongo DB
- Penetration testing Tutorial 8 – How to use Metasploit Auxiliary Module for Penetration testing
- Penetration testing Tutorial 9 – How to attack applications
- Penetration testing Tutorial 10 – How to run Automated Assessments with NoSQLMap
So friends, lets begin our Penetration Testing Tutorial 1.
Big Data MongoDB Penetration Testing Tutorial 1 : Installation of MongoDB in Ubuntu :
Pre-requisites for Installation of MongoDB in Ubuntu : We have used Ubuntu 12.04 for this tutorial. Also make sure to install SSH server while installing Ubuntu . This might come handy while opening multiple shells on the Ubuntu server from any other machine connected to it.
Step 1 : Import MongoDB GPG key
Run the following command to import the GPG keys :
mongo@mongo:~$ sudo apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv7F0CEB10
[sudo] password for mongo:
Executing: gpg –ignore-time-conflict –nooptions –no-default-keyring –secretkeyring /tmp/tmp.0K6QHEakhI –trustdb-name
/etc/apt/trustdb.gpg –keyring
/etc/apt/trusted.gpg –primary-keyring
/etc/apt/trusted.gpg –keyserver
hkp://keyserver.ubuntu.com:80 –recv7F0CEB10
gpg: requesting key 7F0CEB10 from hkp server keyserver.ubuntu.com
gpg: key 7F0CEB10: public key “Richard Kreuter <richard@10gen.com>” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
mongo@mongo:~$
Step 2 : Create a list file for MongoDB
This step is required for apt to do its operations. Run the following command :
mongo@mongo:~$ echo “deb http://repo.mongodb.org/apt/ubuntu”$(lsb_release -sc)”/mongodb-org/3.0 multiverse” | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list
deb http://repo.mongodb.org/apt/ubuntu precise/mongodb-org/3.0 multiverse
mongo@mongo:~$
Step 3 : Reload the local package database
Run the sudo apt-get update command. This command downloads the package lists from the repositories
and updates them to get information on the newest versions of the packages and their dependencies.
This step may take some time and provides a large output on the screen, so the output is truncated.
mongo@mongo:~$ sudo apt-get update Ign http://repo.mongodb.org
precise/mongodb-org/3.0 InRelease Ign http://security.ubuntu.com precisesecurity InRelease
Ign http://us.archive.ubuntu.com precise InRelease
….
Hit http://us.archive.ubuntu.com precisebackports/universe Translation-en
Fetched 4902 kB in 9s (501 kB/s) Reading package lists… Done
mongo@mongo:~$
Step 4: Install the MongoDB packages
The following command installs the latest stable version of MongoDB. These Packages are needed for Big Data MongoDB Penetration testing too. If you don’t want the latest version, rather if you want a specific version to be downloaded, skip this step and go to step 5. Run the following command:
mongo@mongo:~$ sudo apt-get install -y mongodb-org
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
mongodb-org-mongos mongodb-org-server mongodb-org-shell mongodb-org-tools
The following NEW packages will be installed:
…..
Adding user mongodb to group mongodb Done.
mongod start/running, process 2121
Setting up mongodb-org-mongos (3.0.4) …
Setting up mongodb-org-tools (3.0.4) …
Setting up mongodb-org (3.0.4) …
mongo@mongo:~$
Step 5 : Install a specific version of MongoDB
If you have installed MongoDB in step 4, skip this step. This step shows how explicitly to install MongoDB version 3.0.4. If you want any other specific version of MongoDB, replace this version with the version of your choice.
mongo@mongo:~$ sudo apt-get install -y mongodb-org=3.0.4 mongodb-org-server=3.0.4
mongodb-org-shell=3.0.4 mongodb-orgmongos=3.0.4 mongodb-org-tools=3.0.4
Reading package lists… Done
Building dependency tree
Reading state information… Done
mongodb-org is already the newest version.
….
mongodb-org-tools is already the newest version.
mongodb-org-tools set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 199 not upgraded.
mongo@mongo:~$
Step 6 : Preventing unintended upgrades
Though there are various ways to prevent unintended package upgrades, let’s follow the way using “dpkg” as it is provided in the MongoDB documentation. This step holds the MongoDB package to prevent upgrading.
mongo@mongo:~$ echo “mongodb-org hold” | sudo dpkg –set-selections
mongo@mongo:~$ echo “mongodb-org-server hold” | sudo dpkg –set-selections
mongo@mongo:~$ echo “mongodb-org-shell hold” | sudo dpkg –set-selections
mongo@mongo:~$ echo “mongodb-org-mongos hold” | sudo dpkg –set-selections
mongo@mongo:~$ echo “mongodb-org-tools hold” | sudo dpkg –set-selections
Step 7 : Storing MongoDB data
MongoDB stores its data in “/data/db” directory. We can create it as shown below :
Create a directory “/data/db” under root folder. Make sure that “/data/db” is directly under the ‘/’ root directory,
We need to create this directory as root.
Either run the following command : “sudo mkdir -p /data/db”
Or run “su” to become super user, and then create the directory with “mkdir -p /data/db”.
Step 8 : Starting MongoDB
Once we have completed the previous steps, we can start a MongoDB instance with the following command:
mongo@mongo:~$ sudo service mongod start mongod start/running, process 2210
mongo@mongo:~$
This will start the MongoDB instance with the default features.
Step 9 : Verify if MongoDB has started
After launching the MongoDB instance, we can cross check to see if it is up and running by looking at the console messages. If we see the message below in the console, it is running fine.
2015-09-28T02:06:33.732+0000 I NETWORK [initandlisten] waiting for connections on port 27017
Note: As mentioned earlier, MongoDB by default runs with limited features. For penetration testing lab purposes, use the following steps to start the MongoDB instance.
Launch MongoDB with the following command :
sudo mongod –httpinterface –rest –smallfiles
That’s it. Now we have installed it on Ubuntu. In our next tutorial we will learn how to connect KALI LINUX. Hope you all enjoyed Big Data MongoDB Penetration testing tutorial So Keep Learning!! Keep Connecting!!