Penetration Testing on PostgreSQL (5432)

In this post, we will demonstrate how to set-up our own Vulnerable PostgreSQL for penetration testing on Ubuntu 20.04 and How to conduct PostgreSQL penetration testing.

Table of Content

Pre-requisites

PostgreSQL Setup on Ubuntu 20.04

PostgreSQL Penetration Testing

Scanning: Nmap

Brute force: Hydra

Access Postgres Shell

Exploiting: Metasploit

  • Module 1: Postgres Readfile
  • Module 2: Banner Grabbing for Postgres_sql
  • Module 3: Dumping Password Hashes
  • Module 4: Pwn Postgres Shell

Pre-requisites:

Target:  Ubuntu

Attacker: Kali Linux

PostgreSQL Setup on Ubuntu 20.04

PostgreSQL is an open-source and advanced object-oriented relational database which is also known as Postgres. It is a powerful high-performance database management system released under a flexible BSD-style license.

In order to configure PostgreSQL in your Ubuntu platform, there are some prerequisites required for installation.

  • Ubuntu 20.04
  • Root Privileges

Install PostgreSQL and All Dependencies

PostgreSQL is available in the Ubuntu repository. So you just need to install them with the apt command.

on the time of installation, a prompt will display on your system that will ask you to confirm the installation process that either you want to continue or not. You need to press ‘y’ to continue the installation.

Once the installation is completed, start the PostgreSQL service and add it to the system boot by entering following command

Set PostgreSQL user Password

You can create the user password for PostgreSQL. Using the following command, you can change the default user password for PostgreSQL. During this process a prompt display on your system that will ask you to enter the new password. After that, a confirmation will be displayed ‘password updated successfully’. And then next, Now you will log in to the database as a user or working shell using the following command:

Create a database and user roles

You can create new databases and users using the PostgreSQL shell as follows:

Enter the following command to list the databases:

PostgreSQL by default listens at Local Interface which is 127.0.0.1. But, for the remote access, you need to some changes in the configuration file. To Access the configuration file you will use the following command:

under the connection settings, you will set #listen_addresses= ‘*’

Now you will restart the PostgreSQL service by entering the following command

Let’s start Pentesting PostgreSQL

In this section, you will be learning how to compromise Databases credentials using different techniques.

Let’s fire up the Attacking machine kali-Linux

Nmap

By-default PostgreSQL service is running on the port no. 5432, with the help of NMAP, let’s identify the state of Port.

As you can see, it has shown Open state for PostgreSQL at port 5432.

Password Cracking

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Let’s brute-force the target perform this attack you should go with the following command where -L option enables dictionary for username parameter and -P options enables dictionary for the password list.

As above you can see we have successfully dumped the credentials you can use these credentials in gaining access on the database.

Connect to Database Remotely

Kali Linux by default have the psql utility which allows you to authenticate with PostgreSQL database if the username and the password are already known.

As we have already right credentials of the database

Metasploit

As we know Metasploit comes preinstalled with Kali Linux, so our first step is to get to the Metasploit console.

Module 1: Postgres Readfile

The postgres_readfile module, when provided with credentials (e.g. superuser account) for a PostgreSQL server, will read and display files of your choosing on the server.

Module 2: Banner Grabbing for Postgres_sql

The postgres_sql module, when provided with valid credentials for a PostgreSQL server, will perform queries of your choosing and return the results.

Module 3: Dumping Password Hashes

As we have credentials of database admin then we use this one-liner exploit to dump all the user hashes in Metasploit:

Module 4:  Pwn Postgres Shell

Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with ‘pg_execute_server_program’ to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a new table, then execute system commands in the context of copying the command output into the table

Now we gained access on the database, you can observe that here we obtain command session and latter we have to upgrade it into meterpreter sessions.

Now we have full access on the database, in this way we can test for postgres loopholes and submit the findings to the network admin 😊.

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

Docker for Pentester: Pentesting Framework

As we all know, now that we live in the world of Virtualization, most of the organizations are completely reliable on virtual services to fulfil their hardware and software requirements, such as cloud and Container. Containers like Docker are also quite famous techniques used by organizations to build a virtual application environment.

Today in this post we are setting up a docker-based Penetration testing environment for the pentesters to make the installation and configuration for various pentesting tools simple and fast.

Table of Content

  • WPScan
  • Sqlmap
  • Dirbuster
  • Nmap
  • Python HTTP Server
  • John the Ripper
  • Metasploit
  • Powershell Empire
  • Impacket

WPScan

Now let’s continue with our first pentest tool which is used to scan the WordPress CMS-designed website known as WPScan. Open the terminal on your local machine and execute the following command as a superuser, it downloads and builds the docker package.

So we have a WordPress pentestlab, you can create your own wordpress pentestlab and learn more from here.

To use the WPScan docker image you just need to run following command and start pentesting your WordPress.

SQLmap

As we have already told you how to develop your own docking penetration assessment platform, this is SQLMAP for SQL injection testing on our website as our next import pentesting tool. Run the next command, which pulls the SQLMAP docker image.

Assuming testpphp.vulnweb.com is the target website I would like to use sqlmap to test SQL Injection for.

For use the SQLMAP docker image only you need to run the following command and start sql injection testing.

Dirbuster

Move to our next pentest tool “Dirbuster”, which digs out the web directories and pages to reveal the sensitive data stored in the web application. Therefore, run the following command to pull the Dirbuster docker image.

To use Dirbuster’s docker image only you need to run the following command and start testing for enumeration of web directories.

Nmap

How can we leave the network scanning’s most effective tool, my favourite NMAP penetration testing tool 😊? So, run the command below without waste of time and follow the steps

Hopefully, you people know about nmap and its command, I’m just showing you how to use nmap docker image for network scanning.

HTTP Python Server

File transfer is another big part of penetration testing and we should not ignore that, so here I’m going to pull the python server docker image for HTTP.

Execute the following command to run the docker image on port 5555

Now open the server IP over port 5555 and start downloading the file 😊.

John the Ripper

Without a password cracking tool, the penetration testing framework would not be considered an ideal pentest system, so by executing the following command I pull the Johntheripper docker file.

Now, if you have a hash file in your machine, then run the following to make use of the docker image for john ripper to crack the password from inside the hash file.

Metasploit

Metasploit is the most relevant and delegated tool for penetration testing. The manual installations of Metasploit often pose problems for a pentester. Run the following command to drag the Metasploit docker image to your local machine.

To run the Metasploit docker file, execute the command given and proceed using the console in Metasploit.

It functions exactly the same as we have Kali Linux as you can see from the picture below.

PowerShell Empire

Last but not least penetration testing tools are PowerShell Empire whose docker image we ‘re going to install, and to do this, just run the command below to pull the docker image out of the docker hub.

To run the Empire docker image to access the console, execute the given command and continue the way you use it.

It functions exactly the same as we have Kali Linux as you can see from the picture below.

Impacket Toolkit

The most important tool for our Red Teamers is the Impacket and how we can neglect this tool in a pentest framework. Therefore, just execute the following without wasting time to pull the impacket docker image.

As you know, there are so many python libraries within the impacket and here we use docker image to illustrate one of those libraries.

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

Penetration Testing on VoIP Asterisk Server (Part 2)

In the previous article we learned about Enumeration, Information Gathering, Call Spoofing. We introduced a little about the Asterisk Server. This time we will focus more on the Asterisk Manager Interface and some of the commands that can be run on the Asterisk server and we will also look at the AMI Brute force Attack.

Table of Content

  • Introduction to AMI
  • AMI Setup
  • AMI Bruteforce Attack
  • AMI Login
  • AMI Help
  • Enumerating SIP Users
  • Enumerating Specific User
  • Enable Debugging
  • Enumerating Dial Plan
  • Enumerating Core Settings
  • Enumerating CDR (Call Detail Records)
  • Enumerate Live Calls

Introduction to AMI

AMI means Asterisk Manager Interface; AMI allows the client program to connect the asterisk server and issues commands or read events using TCP port. By default, AMI port 5038.

With the Manager interface, we can control the PBX server, originate calls, check mailbox status, monitor the channels and SIP accounts, queues as well as execute Asterisk commands. We configure AMI setting by editing the config file located at etc/asterisk/manager.conf. By default, AMI is disabled, it can be enabled by making changes in manager.conf. AMI commands are called “actions”. The VOIP server generates “response”. AMI will also send “Events” containing various information messages about changes within the Asterisk.

While configuring the AMI, we can change Manager Headers and Response ID too. The manager can handle subscribes to extension status reports from all channels, which enable them to generate events when an extension or device changes state. There are lots of details in these events that may depend on the channel and device configuration. All channel’s or Trunk configuration file for more information in (/etc/asterisk/sip_custom.conf or /etc/asterisk/extensions_custom.conf)

Note: Before using AMI, make sure all the asterisk modules are loaded. If modules are not loaded the application might not send AMI actions.

AMI Setup

The AMI setup requires that we make some configuration changes that we discussed in the Introduction. To make necessary changes, we need to log in to the VoIP server using SSH service.

Make the following changes in the file.

After saving configuration restart the VoIP server so that config change can come in effect.

Now, let’s see if we have the port 5038 running. Let’s perform a nmap scan to confirm the AMI port is opened.

As we can see that AMI is working on port 5038.

AMI Bruteforce Attack

For brute force, we create a dictionary of possible users and passwords. We are going to use the asterisk_login auxiliary for this attack.

Here, we can see that we can extract the AMI login username and Password. Most of the Asterisk-based VoIP server default username “admin” and password “amp111”.

AMI Login

Now let’s try logging on the Asterisk server using the credentials. We can use telnet for connecting to the AMI. After connecting we need to tell the AMI what kind of action we want to perform. In this instance, we are trying to login. So, after providing the action, we give the credentials and get access. Here we can see that we have the system privileges. 

AMI Help

As we don’t know much about the command that can be used to work around the Asterisk. We ran the help command to get a better understand of all the different tasks that can be performed using the AMI.

Enumerating SIP Users

Let’s enumerate the SIP User’s data, which can have the Extensions, Usernames, and their respective secrets. For this, we will need to specify the action. We use “command” as action. After specifying we ran the command that will show us the data of the SIP Users.

Here, we found the 4-sip user id’s and password.

Enumerating Specific User

We found 4 users in the previous practical. Now let’s enumerate information about one of the particular user. The action will remain the same for this as well. But we will use the username for targeting a particular user.

Here we can see the specific SIP peer details. We would be able to get the MD5 passwords if it was set to that particular user. We could also figure out the Permission this user has. We could also see the Caller ID of this user as well.

We can also find the Mail Box details, Server IP details. Here, IP means the IP network registration allowed for that user. We could see what kind of device the user uses as well.

Enable Debugging

Debugging can be used to monitor the hardware configuration and fault errors we can find, as well as observe the configuration and call handling information, code, and modules.

Here we can see SIP debugging enabled. If in case we do not turn off debug backend it will run until then we stop.

Enumerating Dial Plan

Asterisk based VoIP server common dial plan context from-internal it shows about call routing information.

As we can see here to type of dial plan available by default one is from-internal-xfer and another one bad-number.

Enumerating Core Settings

It will show about all the asterisk default information, asterisk version, build options, verbosity information, start time, free memory load, AMI information, default language, call record feature,

Enumerating CDR (Call Detail Records)

CDR is the most useful service in asterisk. CDR is the system that provides one or more call records for each call depending on what version of Asterisk. It is useful for administrators who need a simple way to track what calls have taken place on the Asterisk system.

Here we can CDR logging is enabled, as well as the database server running, CDR registered at backed to MySQL. We can enumerate the CDR database details using the following command.

The amount of time the user is connected to the database and the logs entered in the database can be observed in the screenshot below.

Enumerate Live Calls

We can also enumerate the active calls and processed call list which tells us about different calls that are currently in session.

If you want to know more commands that can be used to enumerate an AMI, Please refer to the official Asterisk Wiki

Author: Madhava Rao Yejarla is an Ethical Hacker, Security Analyst, Penetration Tester from India. Contact on LinkedIn or Twitter