id: mongodb-unauth info: name: MongoDB - Unauthenticated Access author: pdteam severity: high description: MongoDB was able to be accessed with no password. Note that MongoDB does not require a password by default. reference: - https://github.com/orleven/Tentacle - https://book.hacktricks.xyz/pentesting/27017-27018-mongodb - https://www.mongodb.com/features/mongodb-authentication remediation: Enable Authentication in MongoDB tags: network,mongodb,unauth metadata: max-request: 2 tcp: - inputs: - data: 480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000 type: hex host: - "{{Hostname}}" - "{{Host}}:27017" read-size: 2048 matchers: - type: word words: - "totalLinesWritten" # Enhanced by mp on 2022/07/20