MySQL Penetration Testing with Nmap

In this article, we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Let’s Begin !!!

Scanning for port 3306

 open the terminal and type following command to check MySQL service is activated on the targeted system or not, basically MySQL service is activated on default port 3306.

From the given image you can observe port 3306 is open for MySQL service, now let’s enumerate it.

Retrieve MySQL information

Now type another command to retrieve MySQL information such as version, protocol and etc:

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0 ubuntu0.14.04.1, thread ID: 159, status: auto-commit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use the dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

 From the given image you can observe that it found the valid credential root: toor. This credential will help indirectly login into MYSQL server.

Retrieve MySQL usernames

This command will fetch MySQL users name which helps of given argument MySQL user root and mysqlpass toor.

From given below image you can see we had found four usernames: root, Debian-sys-maint, sr, st.

Retrieve database names

This command will fetch MySQL database name which helps of given argument mysqluser root and mysqlpass toor.

 From given below image you can read the name of created database such as ignite

This command will also perform the same task as above but retrieve database name using MySQL query “show database”

 From given below image you can read the name of created database such as ignite

Retrieve MySQL variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch MySQL variables name which help of given argument mysqluser root and mysqlpass toor.

From the given image you can observe ON/OFF status for MySQL variable.

Retrieve Hash Dump

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

From the given image you can observe that it has dumped the hash value of passwords of the respective user which we have enumerated above.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Understanding Nmap Scan with Wireshark

In this article, you will learn how to capture network packet using Wireshark when an attacker is scanning target using NMAP port scanning method. Here you will notice that how Wireshark captured different network traffic packet for open and close ports.

Note: The Below Practical is performed with the same IP address (192.168.1.102), which you will notice is common for our Windows and Linux Machine, you may differentiate them by their MAC addresses in this case.

Let’s start!!!

TCP Scan

Tcp scan will scan for TCP port like port 22, 21, 23, 445 etc and ensure for listening port (open) through 3-way handshake connection between the source and destination port. If the port is open then source made request with SYN packet, a response destination sent SYN, ACK packet and then source sent ACK packets, at last source again sent RST, ACK packets.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 445 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark.

You will notice that it has captured the same sequence of the flag as described above:

  • Source sent SYN packet to the destination
  • Destination sent SYN, ACK to source
  • Source sent ACK packet to the destination
  • Source again sent RST, ACK to destination

Let’s figure out network traffic for the close port. According to a given image, it is showing if scanning port is closed then 3-way handshake connection would be not possible between source and destination.

Source sent SYN pack and if the port is close the receiver will be sent a response through RST, ACK.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark.

You will notice that it has captured the same sequence of the flag as described above:

  • Source sent SYN packet to the destination
  • Destination sent RST, ACK packet to the source

Stealth Scan

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively typical and stealthy since it never completes TCP connections.

The port is also considered open if an SYN packet (without the ACK flag) is received in response.

This technique is often referred to as half-open scanning because you don’t open a full TCP connection. You send an SYN packet as if you are going to open a real connection and then wait for a response. An SYN, ACK indicates the port is listening (open)

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent SYN packets to the destination
  • Destination sent SYN, ACK packets to the source
  • Source sent RST packets to the destination

Now figure out traffic for close port using stealth scan. When source sent SYN packet on the specific port then if the port is closed then the destination will reply by sending RST packet.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent SYN packets to the destination
  • Destination sent RST, ACK packets to the destination

Fin Scan

A FIN packet is used to terminate the TCP connection between the source and destination port typically after the data transfer is complete. In the place of an SYN packet, Nmap starts a FIN scan by using a FIN packet.  If the port is open then no response will come from destination port when FIN packet is sent through source port.

Fin-Scan are only workable in Linux machines and does not work on the latest version of windows

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent FIN packets to the destination
  • Destination sent no reply to the source

Similarly, if Fin scan is performed against any close then source port will be sent FIN packet to specific port and destination will reply by sending RST, ACK packets.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent SYN packets to the destination
  • Destination sent RST packets to the destination

Null Scan

A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that the port is open.

Null Scan is only workable in Linux machines and does not work on latest version of windows

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent Null packets to the destination
  • Destination sent no reply to the source

If the port is closed, the Destination will send an RST, ACK packet in response when source send null packets on a specific port

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent Null (none) packets to the destination
  • Destination sent RST, ACK to source

UDP Scan

UDP scan works by sending a UDP packet to every destination port; it is a connectionless protocol. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase the response rate, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 161 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent UDP packets to the destination
  • Destination sent UDP packet with some data to the source

Similarly, if source sent UDP packet on a close port to the destination then destination sent a reply with ICMP packet port unreachable with an appropriate error.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 53 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent UDP packets to the destination
  • Destination sent ICMP packet port unreachable to the source

Xmas Scan

These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to a specific port and if the port is open then destination will discard the packets and will not send any reply to the source.

Xmas Scan is only workable in Linux machines and does not work on the latest version of windows

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent FIN, PUSH and URG packets to the destination
  • Destination sent no reply to the source

Similarly, if source sent FIN, PUSH and URG packets to a specific port and if the port is closed then destination will be sent RST, ACK packets to the source.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent FIN, PUSH and URG packets to the destination
  • Destination RST, ACK packet to the source

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Exploiting Sql Injection with Nmap and Sqlmap

This article is about how to scan any target for SQL injection using NMAP and then exploit the target with sqlmap if NMAP finds the target is vulnerable to SQL injection. Now go with this tutorial for more details.

Firstly Type www.vulnweb.com in URL to browse acunetix web application. Then Click the link given for the URL of Acuart as shown in the screenshot.

Here the required web page will get opened; testphp.vulnweb.com is our targeted host and now scans this target using nmap to identifying the possibilities of SQL injection.

NMAP has NSE Script for http SQL injection vulnerabilities and scans the web application for SQL injection.

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.

The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analyzed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more complicated is better suited to a standalone tool.

We may not have access to the target web server’s true hostname, which can prevent access to virtually hosted sites.

Now type the following command to scan the target for SQL injection possibilities.

From the screenshot, you can perceive that it has dumped the possible SQL injection for queries. Now let’s explore this query in the browser.

Note: please remove http:// from resultant queries while browsing.

This page contains some message or warning related to some kind of error in the database query.  Now let’s try to apply SQL injection using above resultant sqli query of NMAP inside sqlmap and try to figure out whether the result from nmap is correct for SQL injection vulnerability or not.

Open the terminal in Kali Linux and type the following command for sqlmap

We have got database name from the above resultant sqli query of NMAP inside sqlmap. You can read the database name acuart from the given screenshot.

Now try to find out entire data under this URL by typing following command.

This will dump all available information inside the database. Now try it by yourself.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Password Cracking using Nmap

In previous practical I had used basic command to scan victim’s PC and found open ports like ftp, Ssh, telnet, snmp and etc. You can check from here.  But now the question is if we found open ports what else we can do to retrieve the information of victim using nmap scripts? To know your answer read ahead.

FTP BRUTE

Crack password using nmap brute script of FTP.

nmap -p21 –script ftp-brute.nse –script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

From the scanning result I have successfully got the FTP password of victim pc

msfadmin:msfadminas username and password.

TELNET BRUTE

 Crack password using nmap brute script of telnet.

nmap -p23 –script telnet-brute.nse –script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

I have successfully got the TELNET password of victim pc msfadmin:msfadminas username and password.

SMB BRUTE

Crack password using nmap brute script of SMB

Nmap –p445 –script smb-brute.nse –script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

I have successfully got the SMB password of victim pc msfadmin:msfadmin and user:useras username and password.

 MYSQL BRUTE

Crack password using nmap brute script of MYSQL server

Nmap  -sT -p3306 –script mysql-brute.nse –script-args userdb=/root/Desktop/user.txt 192.168.1.105

Here I found two user as root and guest with empty password for MySQL server

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets.