Mongoaudit is an audit and pentesting tool for MongoDB databases

Data stored in databases can be sensitive or important to the business. Mongoaudit allows you to inspect various technical aspects of a MongoDB instance, and ensure that it is properly protected.

Audience and Usage

Mongoaudit can be used to secure applications or databases.

This tool targets security professionals and pentesters.

Installation

Run the set-up by cloning this repository

> git clone https://github.com/stampery/mongoaudit.git > cd mongoaudit > python setup.py install > mongoaudit

Introduction

There are many holes in MongoDB default configuration settings. This is well known. This, along with many lazy developers and system administrators, led to the “.

Mongoaudit detects bugs, vulnerabilities and misconfigurations and gives advice and best practices. It also teaches how to devOp like an expert!

Here’s the app in action:

Yes, it’s the console interface material design. (Powered by Urwid)

Tests

• MongoDB listens to a port other than the default.
• Only whitelisted hosts and networks are allowed to connect to the server
• MongoDB’s HTTP status interface cannot be accessed on port 28017
• MongoDB does not publish its version number
• MongoDB Version is Newer Than 2.4
• TLS/SSL encryption can be enabled
• Authentication can be enabled
• The SCRAM-SHA-1 authentication is available
• Server-side Javascript is forbidden *
• The user is only allowed to use CRUD operations with the roles granted.
• A single database is available to the user with permission
• Security flaw
• Security flaw
• Security flaw
• Security flaw
• Security flaw
• Security flaw
• Security flaw
• Security flaw
• Security flaw
• Security flaw
• Security flaw

Valid authentication credentials are required for * tests marked with an asterisk.

What can I do to best protect my MongoDB database?

Mongoaudit will provide you with a detailed email report once you have run one of its test suites. The personalized report contains a number of helpful guides that will help you fix any specific issues and harden MongoDB installations.

We have included the mongoaudit guide in our .

Contributing

Your contribution is appreciated! You can help us in different ways:

• Send us your suggestions and corrections to open an issue.
• Make a fork of this repository, and send a pull request.
• Use better documentation

Fork the mongoaudit repositories and then clone you fork to submit a pull-request:

git clone [email protected]:/mongoaudit.git

Make the suggested changes , push then submit a Pull Request.

Maintainers and Author

Maintainers

Mongoaudit is managed by:

Legal

Licence

Mongoaudit has been released under [MIT ].

Disclaimer

"With great power, comes great responsibility"

• This tool should not be used on any servers that you do not own. In many countries, unauthorized access is considered a crime.
• Use this tool at your risk. No matter what the cause, we will not be responsible for any damage or loss you might incur.
• Do not be evil

You can get Mongoaudit Tool from this

Read also: