MongoDB for the OC #436
Replies: 2 comments 3 replies
-
|
OK there is a new version that simulates a badly-deployed instance and allows db drop and ransom note delivery. I need to neaten up the config options, it's feeding canary tokens too :) |
Beta Was this translation helpful? Give feedback.
-
|
Hi @SecuriLee , Thanks for the interesting feature suggestion. Adding the initial MongoDB to OpenCanary would be a useful addition. We would like to encourage you to submit a PR for this feature. We can help you through the steps required and with any technical assistance. Kind Regards |
Beta Was this translation helpful? Give feedback.
-
|
Hi Francois, this sounds promising - which version (or both, allowing the installer to choose) do you think would be preferred? |
Beta Was this translation helpful? Give feedback.
-
|
My suggestion is the main mongoDB server from the first message. But in short it would follow the process of, create a fork of the repo, commit your changes to your copy, and then create a pull request for the changes. |
Beta Was this translation helpful? Give feedback.
-
|
Hello Francois, |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
With the recent MongoBleed, it could be that OC benefits from that stack being present.
My friend, Claude, and I put something together.
It seems to work on my network....
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-05 19:01:36.259014", "local_time_adjusted": "2026-02-05 20:01:36.259061", "logdata": {"action": "mongodb.connection"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 41318, "utc_time": "2026-02-05 19:01:36.259054"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-05 19:01:36.296457", "local_time_adjusted": "2026-02-05 20:01:36.296480", "logdata": {"action": "mongodb.command", "command": "query:admin.$cmd", "query": "{'ismaster': 1, 'helloOk': True}"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 41318, "utc_time": "2026-02-05 19:01:36.296475"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-05 19:01:36.399007", "local_time_adjusted": "2026-02-05 20:01:36.399056", "logdata": {"action": "mongodb.connection"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 41322, "utc_time": "2026-02-05 19:01:36.399041"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-05 19:01:36.566237", "local_time_adjusted": "2026-02-05 20:01:36.566263", "logdata": {"action": "mongodb.command", "command": "query:admin.$cmd", "query": "{'ismaster': 1, 'helloOk': True}"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 41322, "utc_time": "2026-02-05 19:01:36.566258"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-05 19:01:36.671337", "local_time_adjusted": "2026-02-05 20:01:36.671359", "logdata": {"action": "mongodb.auth_attempt", "auth_data": "{'saslStart': 1, 'mechanism': 'SCRAM-SHA-1', 'payload': '6e2c2c6e3d4d7250656e69734272656174682c723d366250577763674c56746d516c2f644f4c705942637a68533155764343434333446833516e53487066586b3d', 'autoAuthorize': 1, '$db': 'admin'}", "mechanism": "SCRAM-SHA-1", "username": "MrPenisBreath"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 41322, "utc_time": "2026-02-05 19:01:36.671354"}
....and so I have opened 27017 to the Internet!! It seems I get some connections but no auth_attempt methods, I assume because they are hoping the host is impacted by MongoBleed.
My friend wrote a guide which is reasonable, it needs some plumbing across dependencies in the OpenCanary code.
mongodb.py
MONGODB_INSTALLATION_GUIDE.md
Beta Was this translation helpful? Give feedback.
All reactions