Metasploitable 3 Windows Walkthrough: Part VI

Exploiting Port 1617 - JMX

Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean).

Scan the target to check the existence of the service:

Checking the JMX service with Metasploit

Exploit:

Exploiting the JMX service with Metasploit

Exploiting Port 3306 – MySQL

The first step should to be the discovery of at least one valid set of credentials.

Brute forcing MySQL is in its essence the same as brute forcing any other applications and therefore similar tools and techniques can be used.

Brute forcing MySQL using Nmap

The best option might be to start using some of Nmap’s scripts because they are very fast and can give you instant results even without brute forcing.

Getting MySQL credentials with Nmap

Getting MySQL credentials with Nmap

Unfortunately, the mysql-brute module is not working properly:

Getting MySQL credentials with Nmap

Brute forcing MySQL using Hydra

Use some simple wordlists with common users and passwords:

Brute forcing MySQL with Hydra

Brute forcing MySQL using Metasploit

Use the proper auxiliary module. Try using a list of probable users and the rockyou list for passwords:

Brute forcing MySQL with Metasploit

This will take a long time and the result is the same as before; the root account has a blank password. Therefore, you can connect to the database using the Kali’s MySQL command and defining the username and host IP.

Accessing the MySQL root account

Once you have root access to the database, you can do anything you want.

Several tools can be used to extract information from the target via the MySQL service

Enumerating MySQL using Nmap

Nmap can also retrieve information from the MySQL database:

Nmap MySQL scripts

Unfortunately, only a few scripts are working properly.

Enumerating MySQL with Nmap

Others used to work but are now broken:

Enumerating MySQL with Nmap

Enumerating MySQL with Nmap

Enumerating MySQL with Nmap


Enumerating MySQL using Metasploit

This module will enumerate all MySQL accounts on the system and their various privileges.

Enumerating MySQL with Metasploit

You can also dump the password hashes. However, in this case there are no hashes to display because the root user has a blank password.

Enumerating MySQL with Metasploit

You can also retrieve the full content of the database:

Dumping MySQL database with Metasploit


Dumping the database using mysql

Use the show databases SQL command to show the available databases.

Dumping MySQL database with mysql

Use the use databasename SQL command to use a particular database.

Dumping MySQL database with mysql

Once you've selected a particular database, you can start to explore it.

Dumping MySQL database with mysql

Select a different database and explore it

Dumping MySQL database with mysql

You can use the describe command to describe the fields in each SQL table, as well as data types.

Dumping MySQL database with mysql

Once you have seen the fields inside the table, you can see the content of specific fields:

Dumping MySQL database with mysql


Dumping the database using mysqlshow

You can also use mysqlshow to easily show the contents of the database. Use the host option to use a remote database.

Dumping MySQL database with mysqlshow

Dumping the database using mysqldump

Like the mysqlshow command, the mysqldump command accepts the host argument. To dump a table, run the command like this:

# mysqldump --host=10.0.0.27 [database] [tablename]

This will result in an SQL script that will recreate the entire database from scratch. Be careful and make sure you use mysqlshow –count before, to avoid dumping out a 500 GB database.

Dumping MySQL database with mysqldump

Dumping MySQL database with mysqldump

From this, you can see some interesting things… Usernames and password hashes! You can use Hash-Identifier to identify the hash.

Identifying hashes

Looks like it is an MD5 hash. My advice; pay attention to the gathered info but don’t waste time trying to crack this.

Exploiting

Just as an example, try to extract the hashes from the database:

Dumping and cracking MySQL user hashes

List the contents of the wp_users table and then select the two most relevant fields:

Dumping and cracking MySQL user hashes

Copy the hashes to a text file and adjust the format:

user:hash

Dumping and cracking MySQL user hashes

Then crack the hashes:

Dumping and cracking MySQL user hashes



No comments: