Exploiting Port 1617 - JMX
Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean).
Scan the target to check the existence of the service:
Exploit:
Exploiting Port 3306 – MySQL
The first step should to be the discovery of at least one valid set of credentials.
Brute forcing MySQL is in its essence the same as brute forcing any other applications and therefore similar tools and techniques can be used.
Brute forcing MySQL using Nmap
The best option might be to start using some of Nmap’s scripts because they are very fast and can give you instant results even without brute forcing.
Unfortunately, the mysql-brute module is not working properly:
Brute forcing MySQL using Hydra
Use some simple wordlists with common users and passwords:
Brute forcing MySQL using Metasploit
Use the proper auxiliary module. Try using a list of probable users and the rockyou list for passwords:
This will take a long time and the result is the same as before; the root account has a blank password. Therefore, you can connect to the database using the Kali’s MySQL command and defining the username and host IP.
Once you have root access to the database, you can do anything you want.
Several tools can be used to extract information from the target via the MySQL service
Enumerating MySQL using Nmap
Nmap can also retrieve information from the MySQL database:
Unfortunately, only a few scripts are working properly.
Others used to work but are now broken:
Enumerating MySQL using Metasploit
This module will enumerate all MySQL accounts on the system and their various privileges.
You can also dump the password hashes. However, in this case there are no hashes to display because the root user has a blank password.
You can also retrieve the full content of the database:
Dumping the database using mysql
Use the show databases SQL command to show the available databases.
Use the use databasename SQL command to use a particular database.
Once you've selected a particular database, you can start to explore it.
Select a different database and explore it
You can use the describe command to describe the fields in each SQL table, as well as data types.
Once you have seen the fields inside the table, you can see the content of specific fields:
Dumping the database using mysqlshow
You can also use mysqlshow to easily show the contents of the database. Use the host option to use a remote database.
Dumping the database using mysqldump
Like the mysqlshow command, the mysqldump command accepts the host argument. To dump a table, run the command like this:
# mysqldump --host=10.0.0.27 [database] [tablename]
This will result in an SQL script that will recreate the entire database from scratch. Be careful and make sure you use mysqlshow –count before, to avoid dumping out a 500 GB database.
From this, you can see some interesting things… Usernames and password hashes! You can use Hash-Identifier to identify the hash.
Looks like it is an MD5 hash. My advice; pay attention to the gathered info but don’t waste time trying to crack this.
Exploiting
Just as an example, try to extract the hashes from the database:
List the contents of the wp_users table and then select the two most relevant fields:
Copy the hashes to a text file and adjust the format:
user:hash
Then crack the hashes:
No comments:
Post a Comment