Penetration Testing on MYSQL (Port 3306)

Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In our previous article we had already discussed how to configure of mysql in ubuntu which you can read from here, now moving towards for its penetration testing.

Attacker: kali Linux

Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Lets start !!

Scanning MYSQL

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 3306. 

If service is activated in targeted server then nmap show open STATE for port 3306.

Enumerating MYSQL Banner

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for MYSQL version.

From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.

MYSQL Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Stealing MYSQL information 

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.

From given image you can observe that it has executed the sql query for dumping the name of databases.

Extracting MYSQL Schema Information

This module extracts the schema information from a MySQL DB server.

here it has dump the information schema for database “ignite” with table name “student” , 5 columns name with column types:

DB: ignite

Table name: student

Last Name

(varchar 30)

First Name

(varchar 30)

Student ID

(int 11)

Major

(varchar 20)

Dorm

(varchar 20)

Check File Privileges

Open my.cnf file to verify file privileges using following command:

gedit /etc/mysql/my.cnf

Here you can see given below statements are uncommented

  • Mysqld_safe
  • Mysqld
  • Secure_file _priv

If these statements are uncommented then it becomes very easy for attacker to perform file enumeration.

Mysql File Eumeration

This module will enumerate files and directories using the MySQL load_file feature.

Here it will start identifying whether the given files list is exist in the target system or not.

From given image you can observe that it has found /etc, /var, /var/www such directory exists.

Enumerate MYSQL writeable directories

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. ***Note: For every writable directory found, a file with the specified FILE_NAME containing the text test will be written to the directory. ***

Here we had assign a list of files so that we can identify the writable directory and from given image you can observe that it has found writable permission only for /tmp.

Mysql User Enumeration

This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

It will start retrieving information such as list of other user account and user privileges on mysql server.

From given image it will be clear to you, that it has shown list of account with hash password and list of user who have GRANT privileges.

As you can see other than user root it has some more user such as sr with hash password, here you can crack this password using password cracker tool.

Extract MYSQL Username with Hash Password

This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.

Now from screenshot you can see the hash value of password is given for all users. Metasploit store these hash value inside /tmp folder and later use john the ripper for cracking password.

Crack Hash Password with John the Ripper

This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

By default it will use metasploit wordlist where hash value has been saved and start cracking hash value.

If you notice the given below image you can perceive that it has successfully crack the double SHA-1 hashing and decrypt the password into plain text.

Now using above retrieved credential you can try to login into mysql server.

Here you can see we had successfully login into server. Hence attacker can easily breach the security of server and steal the important information or modify it.

Secure MYSQL through port forwarding

In order to secure mysql server admin can forward port from default to specific port to run the service. Open my.conf file using following command for making changes:

Now change port 3306 into any other port such as 3000 as shown in given image and save the changes and restart the service.

Verify it using nmap command as given below:

Prevent Mysql against brute force attack

In order to secure mysql server admin can bind the service to its localhost. Open my.conf file using following command for making changes:

Only you need to enable bind-address by making it uncomment  as shown in given images.

Now let’s verify it by making brute force attack same as above using dictionary.

Great!! Attacker is not able to connect the server which resists brute force attack also as shown in given image.

Admin should GRANT all privilege to a specific user only with specific IP address which prevents database information alteration from attackers.

Now for granting all privileges; login into mysql server and type following query:

To tell the server to reload the grant tables, perform a flush-privileges operation

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

3 Comments Penetration Testing on MYSQL (Port 3306)

  1. Andriel

    Hi, Raj.

    I can’t leave my password blank.
    I pressed ENTER, and no response.
    Can you help me, please?
    Thank you.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *