2. About Me
Independent Security Researcher
Member of OpenSecurity
Currently Pursuing My B.Tech (Amal Jyothi College of
Engineering)
Speaker (Spoke @ Defcon Kerala, Defcon Bangalore,DerbyCon
USA)
Will Be Speaking @ Hack in the Box AMS 2014 on NoSQL
Security and Exploitation Framework where the full fledged
framework will be released
Sleeps @ Morning, Researches and Codes @ Night
3. LongShort
NoSQLStory
Straight Out of the Box Issues
Default port Mongo:27017,Couch:5984,Redis:6379
Default Security=NULL
A Shodan Search could fetch you 1000’s of Servers Easily,
P.S: I am Not Joking
Weak Authentication Mechanisms
Encryption Issues
Session Hijacking and MiTM Attacks
AvailableAuthentication Mechanisms Difficult to Deploy
5. FEATURES
For the FirstTime Ever A Scanning and Enumeration Framework for
NoSQL Databases
Written in Python
Scanning Module For Mongo,Couch,Redis
Enumeration Module for Mining DB data for Mongo, Couch and
Redis
Sniffs For Sessions and Passwords
Detection of REST Interfaces
Shodan Search Feature
Couch DB Auto Dump Using Session ID
Dictionary Attack
Clone and Dump Databases on the Fly.
Auto Screenshot Feature Available for REST Interface
Detection for Master-Slave replication in Mongo and acts
accordingly
6. Future
Releases
Added Support for Web App detection and Exploitation
Stored Procedure Calls (Post Exploitation Phase)
Added Support for Neo4J,H-Base,Cassandra
Shodan Header based Search
Iron Python GUIVersion in Progress
Multithreaded and Proxy Support
Resource Exhaustion by creating Arbitrary Databases
Fuzzing Module