MongoDB Auditing and Pentesting Tool – MongoAudit

mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.

Supported tests

  • Server only accepts connections from whitelisted hosts / networks
  • MongoDB HTTP status interface is not accessible on port 28017
  • MongoDB is not exposing its version number
  • MongoDB version is newer than 2.4
  • TLS/SSL encryption is enabled
  • Authentication is enabled
  • SCRAM-SHA-1 authentication method is enabled
  • Server-side Javascript is forbidden *
  • Roles granted to the user only permit CRUD operations *
  • MongoDB listens on a port different to default one
  • The user has permissions over a single database *
  • Security bug CVE-2015-7882
  • Security bug CVE-2015-2705
  • Security bug CVE-2014-8964
  • Security bug CVE-2015-1609
  • Security bug CVE-2014-3971
  • Security bug CVE-2014-2917
  • Security bug CVE-2013-4650
  • Security bug CVE-2013-3969
  • Security bug CVE-2012-6619
  • Security bug CVE-2013-1892
  • Security bug CVE-2013-2132

Installation

  • Installing with pip:
  • pip install mongoaudit
  • Alternative installer
  • curl -s https://mongoaud.it/install | bash

Source

https://github.com/stampery/mongoaudit

Leave a Comment