Skip to main content


Default Port: 5432

PostgreSQL, also known as Postgres, is a powerful open-source object-relational database system. It has earned a strong reputation for its proven architecture, reliability, data integrity, robust feature set, and extensibility.


Connect with psql

psql -h <target-host> -p <port> -U <username> -W


Identify PostgreSQL

To identify the presence of PostgreSQL, nmap can be quite handy:

nmap -sV -p 5432 <target-host>

This scans for open PostgreSQL services running on their default port (5432) and attempts to determine the version.

Version Enumeration

Knowing the version of PostgreSQL can give insights into specific vulnerabilities:

nmap -sV --script=postgresql-info -p 5432 <target-host>

Attack Vectors

Default Credentials

Many PostgreSQL installations use default or weak credentials. Attempt to log in using common defaults like postgres for both username and password.

Brute Forcing Credentials with Hydra

Before gaining access, it might be necessary to brute force credentials. Tools like Hydra can help in this regard:

hydra -L userlist.txt -P passlist.txt <target-ip> postgres

Exploiting Known Vulnerabilities

Check for publicly known vulnerabilities in the specific PostgreSQL version using tools like searchsploit:

searchsploit postgresql <version>


Enumerating Databases and Tables

Upon gaining access, enumerating the databases and tables helps in understanding the structure and finding sensitive information.

List all databases


Switch to a database

\c <database_name>

List tables in the current database:


Extract data from a specific table:

SELECT * FROM <table_name>;

Dumping Hashes

SELECT usename, passwd FROM pg_shadow;

These hashes can be attempted to crack with tools like John The Ripper or hashcat.

Accessing File System

PostgreSQL can interact with the underlying file system. With enough privileges, an attacker could read or write files, depending on the database’s permissions:

COPY (SELECT * FROM sensitive_table) TO '/tmp/sensitive_data.txt';