Mongod targets MongoDB — the world's most popular NoSQL document database. Like Redis, MongoDB was designed for trusted internal networks and ships with authentication disabled by default in older versions. When exposed without auth, the entire database is readable and writable by anyone who can reach port 27017. This machine teaches you to identify, connect to, and query an unauthenticated MongoDB instance.
| Skill | Why it matters |
|---|---|
| Detecting MongoDB with Nmap | Port 27017 sits outside the default scan range — full-port scans are mandatory |
| Connecting without credentials | No-auth MongoDB instances are a recurring finding in cloud and startup environments |
| MongoDB shell navigation | Listing databases, collections, and documents via mongosh |
| NoSQL data extraction | JSON document stores often hold user records, API keys, and session data |
MongoDB's default port is 27017 — well outside the top 1000 ports Nmap scans by default. A -p- flag is essential here.
What you're seeing: SSH on 22 (no credentials yet) and MongoDB 3.6.8 on 27017. MongoDB 3.6.x defaults to binding on all interfaces with no authentication — a configuration that led to the infamous "MongoDB Apocalypse" of 2017, where tens of thousands of databases were wiped and held for ransom.
You're in. No username, no password. The prompt shows the current database is test (the default). Begin enumeration immediately.
What you're seeing: three system databases (admin, config, local) plus two application databases. sensitive_information is an obvious target.
| Command | What it does |
|---|---|
| show dbs | List all databases on the server |
| use <db> | Switch to a specific database |
| show collections | List all collections (tables) in the current database |
| db.<col>.find() | Return all documents in a collection |
| db.<col>.find().pretty() | Return all documents formatted for readability |
| db.<col>.find({key:"val"}) | Filter documents by field value |
| db.<col>.findOne() | Return only the first matching document |
| db.<col>.count() | Count documents in a collection |
| db.getUsers() | List database users (useful for credential harvesting) |
| db.adminCommand({listDatabases:1}) | Alternative to show dbs with more detail |
| MongoDB | Redis | |
|---|---|---|
| Default port | 27017 | 6379 |
| Data model | JSON documents in collections | Key-value pairs (strings, lists, hashes) |
| Default auth | None (pre-4.0) | None (pre-7.0) |
| Typical data found | User records, app data, logs | Sessions, cache, pub/sub messages |
| RCE potential | Via server-side JS (mapReduce in older versions) | Via CONFIG SET to write files |
| Recon command | show dbs / show collections | info / keys * |
An unauthenticated MongoDB instance exposed to the network is a direct path to every record in every database on that server — user accounts, passwords, API keys, and application data included.
| Concept | Real-world relevance |
|---|---|
| No default auth (pre-4.0) | Any MongoDB version below 4.0 on an exposed host is a critical finding by default |
| Cloud misconfigs are common | MongoDB Atlas is secure by design — but self-hosted Mongo on EC2/DigitalOcean without firewall rules is regularly found exposed |
| Collection naming reveals app logic | Database and collection names (users, tokens, sessions, payments) tell you where the valuable data is immediately |
| Always scan all ports | 27017 is port 3 on the "DBs that get you fired" list — it never appears in default Nmap output |