NashTech Blog

Get in touch

PostgreSQL Security – How Weak Passwords And Unencrypted Connections Invite Hackers

Picture of Deepansh Gupta
Deepansh Gupta
Table of Contents
postgresql security

Cybersecurity threats are real in today’s world and it is up to us to make sure that our applications are safe and secure. While companies invest heavily in firewalls, intrusion detection systems, and endpoint protection, some simple overlook might cost you your application’s integrity. Perhaps the most critical and basic vulnerability that you should always cover should be: weak passwords and unencrypted connections. This is extremely important in the case of PostgreSQL security.

While PostgreSQL stands out for its robustness and flexibility, even such powerful tools can be rendered vulnerable when not configured correctly. When weak passwords and unencrypted connections are present in your system, its surprisingly easy to exploit them.

In this blog, we will focus on how weak password and unencrypted connection together provide a recipe for disaster. We will look at how I exploited PostgreSQL server using tcpdump and Metasploit. This real-world example shows just how quickly things can go wrong- and how you can protect against it.

Pitfalls Of Weak Password

One of the most prevalent security vulnerabilities is using weak passwords. Many users continue to use simple, easily guessed passwords, such as their birthdates or 123456. This is how hackers exploit it:

  • Brute Force Attacks: Attackers attempt thousands of password combinations in a matter of seconds using automated tools. It won’t take long for someone to figure out your weak password.
  • Credential stuffing: Taking advantage of the fact that people reuse passwords, hackers will attempt to access your password across various websites, including bank accounts, emails, and corporate systems, if it was compromised in a data breach.
  • Social engineering: Attackers can guess your password with startling accuracy if they have access to personal information that is readily available online, such as the name of your pet or your favourite team.

Why Unencrypted Connections Are Goldmine for Hackers

Data sent over the internet without encryption (using HTTP rather than HTTPS) is like sending a postcard; anyone who intercepts it can read it. Man-in-the-Middle (MitM) attacks are useful in this situation. Hackers are able to:

  • Eavesdrop on Data: Private messages, credit card numbers, and login information can all be intercepted and taken.
  • Inject Malicious Code: Cybercriminals have the ability to alter data transmission by inserting malicious code or directing users to phoney websites.
  • Hijack Sessions: Hackers can pose as users and obtain unauthorised access to their accounts by stealing session cookies.

Exploitation Phase Of PostgreSQL

1. The Setup: Misconfigured PostgreSQL Instance

During a penetration test, I discovered that a PostgreSQL instance was exposed for our application over the network. I used nmap for this discovery. When I discovered the open port for PostgreSQL, I reached out to the development team to get more info about the open port. After a quick review, two misconfigurations stood out:

  • Server did not have TLS configuration enforced for client connections
  • Weak password was being used for one of the accounts

Together these could be easily exploited by a hacker to enter into the PostgreSQL server. I wanted to showcase this to my team about how dangerous this is, so I decided to do a penetration testing and show how an attacker can easily break the PostgreSQL security posture.

2. Phase One: Intercepting Credentials with tcpdump

Since the connection was not encrypted, I used tcpdump to monitor traffic between the PostgreSQL client and server. tcpdump is a powerful command-line packet analyser that can be used for network traffic capture. It is often used by security professionals to intercept unencrypted network communication, which is exactly what we want to do with our network for this penetration testing.

To intercept the traffic on our network, we used the following command in our Kali Linux:

sudo tcpdump -i eth0 port 5432 -A
  • -i eth0 – This specifies the interface to listen on. Here, eth0 is the name of the network interface (like a wired Ethernet connection). You can replace eth0 with your actual interface (e.g., ens33, wlan0).
  • port 5432 – Default port for PostgreSQL which is used here to filter traffic going through this port.
  • -A – This displays the packet content in human readable format. It is useful when you want to read the credentials in plain text.

After running this command, you can now try to login to PostgreSQL server and see the traffic flowing. I could see the username in plain text easily, however the password was encrypted in MD5 hash. While MD5 hash is not the most secure encryption, PostgreSQL security makes sure to encrypt not just the password but a combination of username, password and a random word due to which it would not be easy to decrypt the credentials.

However, we already got one half of our mystery which is the username. Now that we have the username, let us see how we can try to brute force the password with Metasploit to break the PostgreSQL security.

Phase Two: Using Metasploit to Exploit Weak Password

With the username in hand, let us see how metasploit helps with the other half. Metasploit is an open-source penetration testing framework used to simulate real-world attacks and automate exploitation of known vulnerabilities. Make sure it is installed before running following commands:

1. Launch Metasploit
msfconsole
2. Use the PostgreSQL login scanner
use auxiliary/scanner/postgres/postgres_login
3. Set targets and credentials
set RHOSTS <postgresql_host_name>
set USERNAME <postegresql_found_via_tcpdump>
set PASSWORD /usr/share/wordlists/rockyou.txt
run

Once you have entered the run command, it will try different combinations of default passwords with the username you have provided. If any of those are passed, then connection is successfully established and you have shown the exploit successfully.

How To Protect Your PostgreSQL Security

Now that we have looked at how to exploit these vulnerabilities, let us look at how we can save ourselves from such security issues:

  • Postgresql.conf and pg_hba.conf should have TLS connections enforced.
  • Create strong, one-of-a-kind passwords for every database account.
  • If at all possible, disable remote access and restrict PostgreSQL to localhost or certain IP ranges.
  • To restrict access to port 5432, use firewalls.
  • To make sure credentials aren’t leaking, use tools like Wireshark or tcpdump to monitor traffic.

Conclusion

This real-world test demonstrated how weak passwords, and unencrypted connections can make it very simple to compromise even a robust database like PostgreSQL. In just a few minutes, I was able to obtain complete control of the server and capture credentials using programs like Metasploit and tcpdump.

Spend some time auditing your configurations if you’re using PostgreSQL in a staging or production environment. Make sure your connections are encrypted. Make sure your credentials are strong. Simple configuration errors shouldn’t be your weakest point.

Also read: Integrating AI with Automated Reconnaissance Testing

Also read: Comprehensive PostgreSQL security checklist

Picture of Deepansh Gupta

Deepansh Gupta

Deepansh is a Quality Analyst with 3+ years of experience in both manual and automation testing. He has worked on various tech stacks which include technologies such as Selenium, RestAssured, Gatling among others.

Leave a Comment

Your email address will not be published. Required fields are marked *

Suggested Article

Scroll to Top