November 5, 2018

413 words 2 mins read

stampery/mongoaudit

stampery/mongoaudit

A powerful MongoDB auditing and pentesting tool

repo name stampery/mongoaudit
repo link https://github.com/stampery/mongoaudit
homepage https://mongoaud.it
language Python
size (curr.) 499 kB
stars (curr.) 1108
created 2016-11-24
license MIT License

This is the recommended installation method in case you have python and pip.

pip install mongoaudit

Use this if and only if python and pip are not available on your platform.

curl -s https://mongoaud.it/install | bash

works on Mac OS X, GNU/Linux and Bash for Windows 10

If you are serious about security you should always use the PIP installer or, better yet, follow best security practices: clone this repository, check the source code and only then run it with python mongoaudit.

  • MongoDB listens on a port different to default one
  • Server only accepts connections from whitelisted hosts / networks
  • MongoDB HTTP status interface is not accessible on port 28017
  • MongoDB is not exposing its version number
  • MongoDB version is newer than 2.4
  • TLS/SSL encryption is enabled
  • Authentication is enabled
  • SCRAM-SHA-1 authentication method is enabled
  • Server-side Javascript is forbidden *
  • Roles granted to the user only permit CRUD operations *
  • The user has permissions over a single database *
  • Security bug CVE-2015-7882
  • Security bug CVE-2015-2705
  • Security bug CVE-2014-8964
  • Security bug CVE-2015-1609
  • Security bug CVE-2014-3971
  • Security bug CVE-2014-2917
  • Security bug CVE-2013-4650
  • Security bug CVE-2013-3969
  • Security bug CVE-2012-6619
  • Security bug CVE-2013-1892
  • Security bug CVE-2013-2132

Tests marked with an asterisk (*) require valid authentication credentials.

Once you run any of the test suites provided by mongoaudit, it will offer you to receive a fully detailed report via email. This personalized report links to a series of useful guides on how to fix every specific issue and how to harden your MongoDB deployments.

For your convenience, we have also published the mongoaudit guides in our Medium publication.

We’re happy you want to contribute! You can help us in different ways:

  • Open an issue with suggestions for improvements and errors you’re facing.
  • Fork this repository and submit a pull request.
  • Improve the documentation.

To submit a pull request, fork the mongoaudit repository and then clone your fork:

git clone git@github.com:<your-name>/mongoaudit.git

Make your suggested changes, git push and then submit a pull request.

"With great power comes great responsibility"
  • Never use this tool on servers you don’t own. Unauthorized access to strangers' computer systems is a crime in many countries.
  • Please use this tool is at your own risk. We will accept no liability for any loss or damage which you may incur no matter how caused.
  • Don’t be evil! :trollface:

comments powered by Disqus