Hãy chạy VCR LAB gồm :
Attacker : Cali Linux và Target Metasploitable 2 hoặc Metasploitable 3
Nâng cao : Hãy viết Bash Shell để enum các tài khoản trên Metasploitable 2 và lưu thành 1 file txt đặt tên là user.txt (hoặc gõ bằng tay).
— Dùng CEWL tạo 1 file mật khẩu (password profiling từ trang chủ Metasploitable 2) hay dùng từ điện rockyou.txt, ngoài ra có thể tải file password từ các nguồn trên github
In this article, we will learn to get control over our victim’s system through MYSQL service that runs on port 3306. There are multiple ways to do it. Let us take a moment to learn all those because various circumstances call for the different-different measure.
Table of Content
Medusa is a speedy, parallel, and modular tool which allows login through brute force. Its goal is to support as many services that allow authentication possible. The key features of this tool are thread-based testing, Flexible user input, Modular design, and Multiple protocols supported. We are going to run this command to crack this log in.
Run the following command
|1||medusa -h 192.168.1.106 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mysql|
Where [-h] use to assign the victim IP address, [-U] denotes the path for username list, [-P] denotes the path for the password list, [-M] to select the mode of attack.
Ncrack is a network authentication tool, which helps the pen-tester to find out how the credentials that are protecting network access are vulnerable. This tool is a part of the Kali Linux arsenal and comes pre-installed with its package. It also has a unique feature to attack multiple targets at once, which is not seen very often in these tools. Run the following command to exploit port 3306 via Ncrack.
|1||ncrack –U /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.106 -p 3306|
Where [-U] helps us to assign to username list, [-P] helps us to assign the password list, and [-p] will help us to assign the service port number of the victim.
It is a GUI version of Hydra; it can be used for both offline and online password cracking. It has all the features and benefits of Hydra in the GUI form. Let’s start the attack by opening the tool.
After opening this tool in the target, it will ask us about the target, service port number, protocol service name, and any other specific output option we want in our attack.
When we completed the details in the target tab, we need to switch into the password tab, where we need to fill up or browse the username and password list for the brute force attack. There are some extra options available in the tab like Try login as password, try empty password, and Try reversed login.
When we complete the details required for the attack, we need to switch the tab to start to initiate the attack on the victim’s server. As we can see that we crack the credentials with our attack.
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is a very fast, flexible, and new modules are easy to add in the attacks. This tool makes it possible for the researcher and security consultants to show how easy it would be to gain unauthorized access to a system remotely. We are using it the following way to crack the login.
|1||hydra –L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106 mysql|
Where [-L] is used to provide the username, [-P] is used to provide the password for the attack.
It is a collaboration between the open-source community and Rapid 7. It helps security teams do more than just verify vulnerabilities, manages security assessments, and improve security awareness.
This module simply queries the MySQL instance for a specific user and pass (default is root with a blank).
|123456||msf > use auxiliary/scanner/mysql/mysql_loginmsf auxiliary(mysql_login) > set rhosts 192.168.1.106msf auxiliary(mysql_login) > set user_file /root/Desktop/user.txtmsf auxiliary(mysql_login) > set pass_file /root/Desktop/pass.txtmsf auxiliary(mysql_login) > set stop_on_success truemsf auxiliary(mysql_login) > run|
This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.
From the given image, you can observe that our MySQL server is not secure against brute force attack because it is showing a matching combination of username: root and password: toor for login.
Once the attacker retrieves the valid credential he can directly login into Mysql server for stealing or destroying the database information.
Author: Shubham Sharma is a Pentester, Cybersecurity Researcher,