Open Databases and Hacking with Shodan
Increasingly, there are news about leaks. Researchers find confidential information in open databases (MongoDB, Elasticsearch, Kibana, CouchDB, Hadoop and others). After this, scandals begin, serious trials for companies and even ship investigations worth hundreds of millions of dollars. Some examples for visual demonstration in the media.
Finding open databases with Shodan
To search for databases, special search engines Shodan and Censys are used. Databases have a specific pattern in the form of a port and a so-called header. For example, for MongoDB, this is the standard port 27017 and the presence of the header "mongodb server information". Such patterns exist for other databases.
The most popular option is MongoDB. At the time of writing, 69,100 results have been indexed. Most of them are closed (this is indicated by the Authentication partially enabled parameter).
To find open databases create a query:
You can use any manager to work with the database. You can also process data from the command line. Despite the fact that Studio 3T for MongoDB has more functionality (which is available for a trial period of 30 days), you saw that you can work quite well with free programs. All individually.
There are really many open databases. Loud news about a data leak comes out almost every week. It can be a database of a hotel, a store or a service center. A quick look, among the examples in the article, were two good options: a store and a bulletin board for selling cars. In the first case, it was possible to see the order, description and phone / mail of the owner, in the second case - the phone and make of the car.
Very often confidential data is in unencrypted form. Many companies store information and do not even think about the possible consequences. I have demonstrated enough ways to find open databases with terabytes of records. What to do with the information found - the choice is yours.
all: "mongodb server information" all: "metrics"
In this case, we get 24943 results. About as many open databases exist that contain certain information. Of course, some part is dummies, there is nothing interesting in them. But this is the subject of analysis.
USA is the leader in open MongoDB with a score of 7915.
There are fewer results for Elasticsearch. 20,283 indexed entries, and the leader is China.
port: "9200" all: "elastic indices”
To fully work with the results of issuing a database: filter records by size, date of entry into the index, number of collections, etc. need to use more functional tools. One of them is Lampyre.
If you don’t want to deliver software to yourself, you can use the familiar Shodan Command-Line Interface. For those who want to work using the command line, I have prepared a file with commands that allow you to find and analyze data in json or xlsx formats.
To work with more exotic databases, I recommend using LeakLooker. The script is written in Python and works with Shodan. In addition to standard databases, it supports Kibana, CouchDB.
Finding open databases with Lampyre
For more flexible settings, you can use the Lampyre tool for Windows. After downloading the application, you must specify the mail and confirm your account. After starting in Online Mode, you need to click New Investidation, select the folder for storing the project and start working.
In the List of requests, select Shodan search. We enter the API key and our query in the Query field, which will allow us to find open databases.
all: "mongodb server information" all: "metrics”
You can also specify additional parameters in the Shodan - 2 window. For example, country and port. We launch using the "Execute" button. Next up are the results. For graphical display, select “Schema” -> “Network”.
Lampyre can filter found queries with the ExploreDB: MongoDB built-in query. Select the necessary IPs, then right-click on the menu and specify ExploreDB: MongoDB.
Then we get all the requests in a convenient format. You can filter by database size and other parameters that are not in Shodan. Confirmation that the database is open is the text parameter, which has the status open. It is worth sorting the results by the Size and Count documents parameters, since the most interesting databases will contain the maximum number of records in the tables.
You can also notice from the screenshots that Lampyre supports working with ExploreDB: ElasticSearch. We do everything by analogy using the query:
port: "9200" all: "elastic indices"
We receive in a convenient form the ElasticSearch database. You can see them by clicking on the link in the column "http query top 500".
As a result, we find an open database of some store where you can find the phone, date of creation, description, mail and some other interesting information. Remember, those who seek will always find
You can use any manager convenient for you to work with the resulting databases. For example, for MongoDB, NoSQL Manager for MongoDB, Robo 3T, or Studio 3T for MongoDB is suitable. Consider, for example, one of the options.
Analyzing Databases Using Robo 3T for MongoDB
The choice fell on the free version of Robo 3T. Portable version takes about 15 mb and allows you to quickly connect to the desired database. After starting, we see a window where you need to specify the IP address. Right click and add using the Add button.
Specify the desired IP and click Save.
After a successful connection, we can see the database. If the connection has occurred, a new client will appear in the left pane.
Next we look at the collections that are used in the database: