Three-day workshop offers unique opportunity for security startups Jerusalem...
How to use Sqlploit
Databases nowdays are everywhere, from the smallest desktop applications to the largest web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured.
Someone an to this information could have control over a company’s or an organization’s infrastructure. He could even sell this information to a company’s competitors. Imagine the damage that something like this could cause. In this article, we will see how we can use Metasploit to attack our database servers.
Metasploit is a very powerful tool. Actually, is not just a tool, it is a collection of tools. It is a whole framework. It has gained incredible popularity in the last few years because of its success in the fields of penetration testing and information security. It includes various tools, from various scanners to exploits. It can be used to discover software vulnerabilities and exploit them. With database servers having so many security weaknesses, Metasploit has numerous auxiliary modules and exploits to assist you with your database server penetration testing. Metasploit is available for all popular operating systems so what operating system you are already using might not be a problem. In this article we are going to use Metasploit’s auxiliary modules and exploits to complete various penetration testing tasks against popular database servers, such as Microsoft SQL Server and MySQL. I hope you enjoy it!
Attacking a MySQL Database Server
MySQL is the world’s most used open source relational database management system. Its source code is available under the terms of the GNU General Public License and other proprietary license agreements. MySQL is the first database choice when it comes to open source applications creation. MySQL is a very secure database system, but as with any software that is publicly accessible, you can’t take anything for granted.
Figure 1. Discovering MySQL servers – The nmap wa
Discover open MySQL ports
MySQL is running by default on port 3306. To discover MySQL you can do it either with nmap or with Metasploit’s auxiliary modules.
The NMAP way
Nmap is a free and open source network discovery and security auditing utility. It can discover open ports, running services, operating system version and much more. To discover open MySQL ports we use it in this way:
nmap -sT -sV -Pn -p 3306 192.168.200.133
-sT: TCP connect scan
-sV: Determine Service version information
-Pn: Ignore Host discovery
-p 3306: Scan port 3306
Scanning the whole network:
nmap -sT -sV -Pn -–open -p 3306 192.168.200.0/24
–open: Show only open ports (Figure 2)
Figure 2. Discovering MySQL servers – The nmap way
The Metasploit way
Metasploit offers auxiliary module
mysql_version. This module enumerates the version of running MySQL servers. To use it type:
To use this scanner you have to set its options. Type:
To see a list of available options (Figure 3).
Figure 3. mysql_version auxiliary module options
Set the RHOSTS parameter:
set RHOSTS 192.168.200.133
set RHOSTS 192.168.200.0/24
Set the RPORT parameter to a different value if you believe that the MySQL Server is listening on a different port:
Set RPORT 3333
Increase THREADS value for a faster scanning (Figure 4):
Figure 4. mysql_version options after setting them up
set THREADS 50
Now, all you have to type is:
and hit enter (Figure 5).
Figure 5. mysql_version scanner in action
As you can see from the screenshot we have a MySQL version 5.0.51a running at 192.168.200.133!
Brute forcing MySQL
There is an auxiliary module in Metasploit called
mysql_login which will happily query a mysql server for specific usernames and passwords. The options for this module are: Figure 6.
Figure 6. mysql_login module options
To start your attack you have to set the RHOSTS option and choose a username and a password.
SET RHOSTS 192.168.200.133
SET USERNAME root
Leave the password blank. Your options, after executing the commands above, should seem like Figure 6.
mysql_login will try to login with blank password and with the username as the password. Maybe we are lucky before we start brute-forcing database with passwords lists (Figure 7).
Figure 7. Starting brute-forcing database with passwords lists
We were lucky! The administrator is completely ignorant. But what if we weren’t so lucky? We then need a password list file. We can create one by ourselves or download one from the Internet. Let’s create one!
Creating a password list
To create our password list we are going to use crunch. If you are using BackTrack, crunch is already installed. Open Privilege Escalation > Password Attacks > Offline Attacks > crunch. Otherwise download it from here http://sourceforge.net/projects/crunch-wordlist/.
./crunch 6 8 abcde123456 -o passfile.lst
The above command will create passwords between 6 and 8 characters long, consisting of ascii characters a,b,c,d,e and numbers 1,2,3,4,5,6 and will save the list into file passfile.lst (Figure 8).
Figure 8. Generating a password list with crunch
Using password lists
Now that we have our password list stored in
/pentest/passwords/crunch/passfile.lst, we can use it in
Set PASS_FILE /pentest/passwords/crunch/passfile.lst
Increase also the number of concurrent threads for a faster brute-force attack.
SET THREADS 50
mysql_login (Figure 9) module offers 2 other options,
USERPASS_FILE. You can use a username file list to try various username values by setting the
USER_FILE option accordingly. With
USERPASS_FILE parameter you can use a file which contains both usernames and passwords in the same file separated by space and one pair per line.
Figure 9. mysql brute-force attack using password list
Bypass MySQL Authentication
mysql_authbypass_hashdump exploits a password bypass vulnerability in MySQL and can extract usernames and encrypted passwords hashes from a MySQL server. To select it type:
Set RHOSTS and THREADS option:
set RHOSTS 192.168.200.133
set THREADS 50
and run the module. We can also set parameter username.
set username root
Unlucky! (Figure 10)
Figure 10. Running mysql_authbypass_hashdump module
Dump MySQL Password Hashes
mysql_hashdump extracts the usernames and encrypted password hashes from a MySQL server. One can then use
jtr_mysql_fast module to crack them. The module is located in
auxiliary/scanner/mysql. To use it set RHOSTS option to our target’s IP address and increase THREADS value. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module to get your precious results! (Figure 11)
Figure 11. mysql server hashes and usernames
Cracking passwords with John The Ripper
Metasploit offers module
jtr_mysql_fast.This module uses John the Ripper to identify weak passwords that have been acquired from the
mysql_hashdump module. John the Ripper is a free and Open Source software password cracker, available for many operating systems such as Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. After having acquired mysql hashes with
mysql_hashdump module, load
jtr_mysql_fast module and run it.
This module offers options such as setting a custom path for john the ripper. The option that interests you the most is the Wordlist option, which is a path to your desired password list (Figure 12).
Figure 12. jtr_mysql_fast module options
Getting the schema
A database schema describes in a formal language the structure of the database, the organization of the data, how the tables, their fields and their relationships between them must be defined and more. In general, database schema defines the way the database should be constructed. Metasploit has the module
mysql_schemadump to get MySQL schema.
mysql_schemadump is located under
auxiliary/scanner/mysql. To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase THREADS value!
Let’s go Phishing
Phishing is an attempt to steal sensitive information by impersonating a well known organization. In the same manner you can trick a user to steal her MySQL credentials. One of the abilities of Metasploit is this, mimic known services and capture user credentials. Among the various capture modules there is a module called mysql. This module provides a fake MySQL service that is designed to capture MySQL server authentication credentials. It captures challenge and response pairs that can be supplied to Cain or John the Ripper for cracking.
To select the capture module type:
This module offers some interesting options. You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can also set the SRVVERSION option, which is the version of the mysql server that will be reported to clients in the greeting response. This option must agree with the true mysql server version on the network if you don’t want to being detected. You can also configure the module to use SSL! (Figure 13)
Figure 13. mysql capture module options
Run the module and connect to the capture mysql server from another computer on the network to see how it is working. To connect to a mysql server open a terminal and type:
mysql -h ip_address -u root -p
Enter any password, for now, in mysql’s prompt and see what is happening in Metasploit! (Figure 14)
Figure 14. mysql capture module in action
Metasploit has captured the hash and now this hash is stored in cain and john format in files
/tmp/cain. These are the files that I have chosen.
MySQL database system is a very secure piece of software. Metasploit doesn’t offer many MySQL exploits. Although some exploits exist.
YaSSL is a lightweight embedded SSL library. Metasploit offers 2 exploits for this library. The
mysql_yassl_getname and the
mysql_yassl_getname exploits a stack buffer overflow in the yaSSL 1.9.8 and earlier and
mysql_yassl_hello exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier. To use any exploit you have to select it:
As you can figure, the last exploit is for windows systems. After selecting your desired exploit, you have to select the payload. Each exploit offers a variety of payloads. You have to choose the most suitable for your target. To see a list of available payloads for the exploit type (Figure 15):
Figure 15. Exploit’s and payload’s options
The most successful exploits usually are the
reverse_tcp payloads where the target machine connects back to you. Each payload offers some options. By typing
you will see exploit’s and payload’s options (Figure 16).
Figure 16. mysql_yassl_hello exploit payloads
Other MySQL Exploits
We should mention here two more exploits that are available for MySQL systems that run on Windows servers. The
mysql_payload and the
scrutinizer_upload_exec. The first exploit,
mysql_payload, creates and enables a custom UDF on the target. On default Microsoft Windows installations of MySQL 5.5.9 and earlier, directory write permissions are not enforced, and the MySQL service runs as LocalSystem. This module will leave a payload executable on the target system and the UDF DLL, and will define or redefine
sys_exec() functions. The
scrutinizer_upload_exec module exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer, a network traffic monitoring and analysis tool. By default, the software installs a default password in MySQL, and binds the service to “0.0.0.0”. This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of ‘SYSTEM’.
We are in!
And now what? Metasploit offers two modules that will assist you to enumerate a MySQL service or execute sql queries. All you need is a valid user-password pair.
mysql_enum allows for simple enumeration of MySQL Database Server and
mysql_sql allows for simple SQL statements to be executed against a MySQL instance. To select them, type:
and execute the command
to get a list of available options (Figure 17).
Figure 17. mysql_enum module option
mysql_sql execute (Figure 18):
Figure 18. mysql_sql module options
Attacking a Microsoft SQL Server
Microsoft SQL Server (MSSQL) is a relational database management system (RDBMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.
Discover open MSSQL ports
MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.
The NMAP way
To discover open MSSQL ports we execute the following command:
nmap -sT -sV -Pn -p 1433 192.168.200.133
Usually administrators, when they need more than one instances of SQL server they run the second instance at port 1434.
nmap -sT -sV -Pn -p 1433,1434 192.168.200.133
-sT: TCP connect scan
-sV: Determine Service version information
-Pn: Ignore Host discovery
-p 1433,1434: Scan port 1433 and 1434
Scanning the whole network
nmap -sT -sV -Pn -–open -p 1433,1434 192.168.200.0/24
–open: Show only open ports
The Metasploit way
Metasploit offers auxiliary module
mssql_ping. This module discovers running MSSQL services. To use it, type:
for a list of available options (Figure 19).
Figure 19. mssql_ping module options
To discover all running MSSQL services on the net, set RHOSTS value equal to 192.168.200.0/24, assuming that your target network is in this range, increase threads value for a faster scanning and run the module (Figure 20).
Figure 20. mssql_ping module in action
Brute forcing MSSQL
mssql_login is working in the same manner as
mysql_login does. It will query the MSSQL instance for a specific username and password pair. The options for this module are: Figure 21.
Figure 21. mssql_login options
The default administrator’s username for SQL server is sa. In the options of this module, you can specify a specific password, or a password list, a username list or a username-password list where usernames and passwords are separated by space and each pair is in a new line. Having set your options simply run the module and wait for your results! You can create your own password list file, like we did in the first chapter where we used
Dump MSSQL Password Hashes
mssql_hashdump extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking with
jtr_mssql_fast. This module also saves information about the server version and table names, which can be used to seed the wordlist. The module is located in auxiliary/scanner/mssql. To use it set RHOSTS option to our target’s ip address and increase THREADS value to 50. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module! (Figure 22).
Figure 22. mssql_hashdump module
Cracking mssql passwords with John The Ripper
Metasploit offers module
jtr_mssql_fast. This module works in the same manner as
jtr_mysql_fast does. It uses John the Ripper to identify weak passwords that have been acquired from the
mssql_hashdump module. After having acquire mssql encrypted hashes with
mssql_hashdump module, load
jtr_mssql_fast and run it.
You should set the Wordlist option which is the path to your desired password list (Figure 23).
Figure 23. jtr_mssql_fast module options
Getting Microsoft SQL Server schema
Metasploit offers the module
mssql_schemadump to retrieve MSSQL schema.
mssql_schemadump is located under
auxiliary/scanner/mssql. This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase the THREADS value to get results faster.
Phishing with MSSQL
Metasploit has also a mssql capture module, called
mssql. This module provides a fake MSSQL service that is designed to capture MSSQL server authentication credentials. The module supports both the weak encoded database logins as well as Windows login (NTLM). To select the capture module type:
You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can configure the module to use SSL (Figure 24).
Figure 24. mssql capture module options
Run the module and connect to the capture mssql server from another computer on the network to see how it is working. To connect to a mssql server open your Microsoft SQL Server management studio and try to login to the running service (Figure 25). Metasploit has captured the username and the password the user entered to login to the fake MSSQL service.
Figure 25. Login attempt captured by mssql capture module
Exploiting the Microsoft world
Metasploit offers some MSSQL exploits. Let’s take a look.
SQL Server 2000
SQL server 2000 is a very old version of Microsoft SQL Server and is hard to find it on Production environments nowdays.
ms02_039_slammer exploits a resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. To select it for use simply type:
Another exploit module for SQL Server 2000 is
ms02_056_hello is an exploit which will send malformed data to TCP port 1433 to overflow a buffer and possibly execute code on the server with SYSTEM level privileges. To select it, type:
SQL Server 2000 – SQL Server 2005
ms09_004_sp_replwritetovarbin_sqli exploit a heap-based buffer overflow that occur when calling the undocumented “sp_replwritetovarbin” extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005. To use these exploits you type:
As with any Metasploit module, you can type
to get a list of available options (Figure 26).
Figure 26. ms09_004_sp_replwritetovarbin_sqli module options
to get a list of available of payloads for the selected exploit.
SQL Server database systems
Metasploit offers the module,
exploit/windows/mssql/mssql_payload, which executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Three delivery methods are supported. The original method uses Windows ‘debug.com’. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target.
Another interesting exploit module that can be applied in all SQL Server versions is the
exploit/windows/mssql/mssql_payload_sqli. This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use
xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. You should use a “reverse” payload on port 80 or to any other outbound port allowed on the firewall.
Metasploit offers various modules that will assist you to enumerate a MSSQL service, execute sql queries, retrieve useful data and many more. All you need is a valid user-password pair.
mssql_enum will perform a series of configuration audits and security checks against a Microsoft SQL Server database.
mssql_sql_file will allow for simple SQL statements to be executed against a MSSQL/MSDE or multiple SQL queries contained within a specified file. To select them, type:
and execute the following command to see the options (Figure 27)
Figure 27. mssql_sql_file module options
There is an amazing module called
mssql_findandsampledata. This module will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS option. If column names are found that match the defined keywords and data is present in the associated tables, the module will select a sample of the records from each of the affected tables. You have to set the the sample size by configuring the
SAMPLE_SIZE option. Your results will be stored in CSV format. Type
Executing Windows Commands
If you have managed to find a valid username – password pair, the most desired thing that you would like to do is to execute a command on the compromised machine. Metasploit offers module
auxiliary/admin/mssql/mssql_exec which will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. All you need is the username and password!!
Figure 28. mssql_findandsampledata module options
If you need to search for specific information in SQL Server databases there is a module that can make your life easier. Its name,
mssql_idf, and you will find it under
auxiliary/admin/mssql/. This module will search the specified MSSQL server for ‘interesting’ columns and data. The module is working against SQL Server 2005 and SQL Server 2008 (Figure 29).
Figure 29. mssql_idf module options
Databases are the most important part of today’s computing systems. They usually contain all the information needed to run a company or organization. Therefore it is necessary to be as safe as possible. Metasploit framework is just one tool of many out there, that offers the appropriate scripts to compromise a database system. Databases are software that must be accessed by applications running on the Internet, that’s why they must be guarded by firewalls, use encryption and powerfull passwords and the whole system (database and operating system) must be checked every day for new updates and upgrades. The best choice would be to allow access to your database only from your intranet and/or vpn. Try not to expose your database directly to the web. Close all your database system ports now!
George Karpouzas is the co-founder and owner of WEBNETSOFT, a Software development, Computers security and IT services company in Greece. He is working as a software developer for the past seven years. He is a penetration tester, security researcher, information security consultant and software developer at WEBNETSOFT. He holds a bachelor’s of science in computer science from Athens University of Economics and Business. You can find the answers to any security questions on his blog http:// securityblog.gr.