📜 ⬆️ ⬇️

How Researchers Discover MongoDB and Elasticsearch Open Databases

Some time ago, among security researchers, it was very “fashionable” to find improperly configured AWS cloud storages with various kinds of confidential information. At that time, I even published a small note about how Amazon S3 open cloud storage is discovered.


However, time passes and the focus in research has shifted to the search for left in the public domain databases. More than half of the known cases of large data leaks over the past year are leaks from open bases (an overview of leaks for 2018 here and here ).



Today we will try to figure out how such databases are discovered by security researchers ...


Required disclaimer: this article does not address and does not raise legal and ethical issues related to the search and identification of publicly available databases. All the information below should be considered solely as educational.

I will not discover America if I say that the main search tools for searching open databases are the specialized search engines Shodan and Censys . I’ll just make a reservation that these are not free services and you have to pay your honestly earned non-rubles for access to the full search results (in the case of Shodan it is $ 59 / month, and for Censys - $ 99 / month, and this is only for the minimum basic packages). Free versions of search engines severely limit the number of results in the issuance.


In addition to the classic Google-like search using the search string, these search engines provide the ability to connect to them through the API. The lucky owner of a paid subscription will receive its API key. This allows you to significantly facilitate the task of clearing the heap of search rubbish. I gave a list of useful scripts and search automation programs that use API keys at the end of this article.


Кстати говоря, используя небольшую хитрость и опять же поиск, только на этот раз по GitHub, можно найти некоторое количество API-ключей, оставленных в открытых репозитариях их неосторожными владельцами.


Let's take a look at the example of the Shodan search engine, how to find open MongoDB and Elasticsearch databases.


The simplest and most obvious request that begs is “MongoDB”:



Apparently from a screenshot, this request returned us all indexed MongoDB servers (on default port 27017). Moreover, most of them (in the screenshot these are the first three) will be closed databases requiring account credentials. And this is not exactly what we are interested in. More precisely, it is not at all.


Let's slightly complicate the query using the search filters “all:" mongodb server information "all:" metrics "”:



The result looks much better already. All found databases were freely available at the time when the search engine indexed them. It is very likely that they will be able to connect to the specified IP addresses using any manager for MongoDB (for example, NoSQL Manager for MongoDB or Studio 3T for MongoDB).


You can limit the search to any country. Let's say let's look for the open MongoDB in China (query “all:" mongodb server information "all:" metrics "country:" cn ""):



To search for Elasticsearch open databases, it is convenient to use the query “port:" 9200 "all:" elastic indices "":



Unfortunately, I did not find a way how to set the search condition in the search line by the size of the base. If you know how to do this (set a filter in the search box for the parameters "totalSize" or "sizeOnDisk"), then write in the comments.


Impose more complex filters (restrictions on the size of the database, the date of the server in the index, etc.) on the search results, you can use specialized scripts and programs. To do this, you will need paid access and an API key, as I wrote above.


Here is a small list of things that might come in handy:




Source: https://habr.com/ru/post/441028/

More articles: