The only thing that we have to do is to insert the remote IP address and to
execute it with the run command.
Discovering the version of MySQL
Now we can use the mysql_login module in combination with
our wordlists in order to discover at least one valid database account that will
allow us to login to the MySQL database.It is always a good practice as a
penetration testers to check the database for weak credentials.
Configuring the MySQL Login Module
The scanner was successful and now as we can see from the results we have two
valid accounts (guest and
root) for remote
connection.Both of these accounts they don’t have a password set.
Discovering valid accounts from the MySQL
Database
Before we use these accounts in order to connect and interact directly with
the database we can use another two metasploit modules that can help us to
enumerate the database accounts and to dump the usernames and password hashes of
the MySQL server.Of course this can be done manually but Metasploit helps us to
automate this process.So first we will configure the module mysql_enum in order to find information
about the database accouts:
Metasploit Module Configuration for MySQL Accounts
Enumeration
We can see a sample of the output in the following image:
enumerating MySQL Accounts
Next its time to configure and run the mysql_hashdump module in order to dump
the passwords hashes from all the database accounts:
Dumping the hashes from the MySQL Database
Now we can use any mysql client to connect to the database.Backtrack has
already a client so we can use the command mysql -h IP -u username -p password.In
our case our IP of the target is 172.16.212.133 and we will use as
username the root that has been discovered from the mysql_login module before.We will be
prompted for a password but we will leave it blank because the password for the
account root is blank.
Connection to MySQL Database
Now that we are connected to the database we can use the command
show databases; in order to
discover the databases that are stored in the MySQL server.
Display the databases
As a next step is to choose one database and then to try to see the tables
that it contains in order to start extract data.We can do that with the command
use <dbname> and the
command show tables;
Tables of mysql database
We can see that there is a table user.We would like to extract the data of
that table as it contains the usernames and passwords of the system.We can
achieve that with the command select User,
Password from user;
Extract Usernames and Passwords from Table
As we can see there are 3 accounts with blank passwords.So now we have all
the accounts of the MySQL database.We can now discover additional tables from
other databases with the command show
tables from <dbname>;
Display tables from another database
The interesting table here is the credit_cards so we would like to see the
contents of this table.We will change database with the command use <dbname> and we will execute
the command show * from
credit_cards;
Extract all the data from a table
Now we have all the credit cards details from users and all the accounts and
passwords from the database.
Conclusion
In this article we saw how we can gain access to a MySQL database by taken
advantage the weak credentials.Weak credentials and forgotten default database
accounts are one of the most common security problems in large organizations
where it is difficult for the admins that they have to manage a variety of
systems to be able to change and control the accounts regularly.Every
penetration tester must check first while assessing a database system if the
remote target is having default or weak accounts installed.This is the easiest
way of getting access and in complex and big environments it always a good
possibility that this technique will be successful.
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.