How to use Sqlploit

How to use Sqlploit

Databases nowdays are everywhere, from the smallest desktop applications to the largest web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured.

Someone an to this information could have control over a company’s or an organization’s infrastructure. He could even sell this information to a company’s competitors. Imagine the damage that something like this could cause. In this article, we will see how we can use Metasploit to attack our database servers.

Metasploit is a very powerful tool. Actually, is not just a tool, it is a collection of tools. It is a whole framework. It has gained incredible popularity in the last few years because of its success in the fields of penetration testing and information security. It includes various tools, from various scanners to exploits. It can be used to discover software vulnerabilities and exploit them. With database servers having so many security weaknesses, Metasploit has numerous auxiliary modules and exploits to assist you with your database server penetration testing. Metasploit is available for all popular operating systems so what operating system you are already using might not be a problem. In this article we are going to use Metasploit’s auxiliary modules and exploits to complete various penetration testing tasks against popular database servers, such as Microsoft SQL Server and MySQL. I hope you enjoy it!

Attacking a MySQL Database Server

MySQL is the world’s most used open source relational database management system. Its source code is available under the terms of the GNU General Public License and other proprietary license agreements. MySQL is the first database choice when it comes to open source applications creation. MySQL is a very secure database system, but as with any software that is publicly accessible, you can’t take anything for granted.

Figure 1. Discovering MySQL servers – The nmap wa

Discover open MySQL ports

MySQL is running by default on port 3306. To discover MySQL you can do it either with nmap or with Metasploit’s auxiliary modules.

The NMAP way

Nmap is a free and open source network discovery and security auditing utility. It can discover open ports, running services, operating system version and much more. To discover open MySQL ports we use it in this way:

nmap -sT -sV -Pn -p 3306 192.168.200.133

Parameters:

-sT: TCP connect scan

-sV: Determine Service version information

-Pn: Ignore Host discovery

-p 3306: Scan port 3306

Scanning the whole network:

nmap -sT -sV -Pn -–open -p 3306 192.168.200.0/24

Parameters:

--open: Show only open ports (Figure 2)

Figure 2. Discovering MySQL servers – The nmap way

The Metasploit way

Metasploit offers auxiliary module mysql_version. This module enumerates the version of running MySQL servers. To use it type:

use auxiliary/scanner/mysql/mysql_version

To use this scanner you have to set its options. Type:

show options

To see a list of available options (Figure 3).

Figure 3. mysql_version auxiliary module options

Set the RHOSTS parameter:

set RHOSTS 192.168.200.133

or

set RHOSTS 192.168.200.0/24

Set the RPORT parameter to a different value if you believe that the MySQL Server is listening on a different port:

Set RPORT 3333

Increase THREADS value for a faster scanning (Figure 4):

Figure 4. mysql_version options after setting them up

set THREADS 50

Now, all you have to type is:

run

and hit enter (Figure 5).

Figure 5. mysql_version scanner in action

As you can see from the screenshot we have a MySQL version 5.0.51a running at 192.168.200.133!

Brute forcing MySQL

There is an auxiliary module in Metasploit called mysql_login which will happily query a mysql server for specific usernames and passwords. The options for this module are: Figure 6.

Figure 6. mysql_login module options

To start your attack you have to set the RHOSTS option and choose a username and a password.

SET RHOSTS 192.168.200.133

SET USERNAME root

Leave the password blank. Your options, after executing the commands above, should seem like Figure 6. mysql_login will try to login with blank password and with the username as the password. Maybe we are lucky before we start brute-forcing database with passwords lists (Figure 7).

Figure 7. Starting brute-forcing database with passwords lists

We were lucky! The administrator is completely ignorant. But what if we weren’t so lucky? We then need a password list file. We can create one by ourselves or download one from the Internet. Let’s create one!

Creating a password list

To create our password list we are going to use crunch. If you are using BackTrack, crunch is already installed. Open Privilege Escalation > Password Attacks > Offline Attacks > crunch. Otherwise download it from here http://sourceforge.net/projects/crunch-wordlist/.

Execute:

./crunch 6 8 abcde123456 -o passfile.lst

The above command will create passwords between 6 and 8 characters long, consisting of ascii characters a,b,c,d,e and numbers 1,2,3,4,5,6 and will save the list into file passfile.lst (Figure 8).

Figure 8. Generating a password list with crunch

Using password lists

Now that we have our password list stored in /pentest/passwords/crunch/passfile.lst, we can use it in mysql_login module.

Set PASS_FILE /pentest/passwords/crunch/passfile.lst

Increase also the number of concurrent threads for a faster brute-force attack.

SET THREADS 50

run

mysql_login (Figure 9) module offers 2 other options, USER_FILE and USERPASS_FILE. You can use a username file list to try various username values by setting the USER_FILE option accordingly. With USERPASS_FILE parameter you can use a file which contains both usernames and passwords in the same file separated by space and one pair per line.

Figure 9. mysql brute-force attack using password list

Bypass MySQL Authentication

Module mysql_authbypass_hashdump exploits a password bypass vulnerability in MySQL and can extract usernames and encrypted passwords hashes from a MySQL server. To select it type:

use auxiliary/scanner/mysql/mysql_hashdump

Set RHOSTS and THREADS option:

set RHOSTS 192.168.200.133

set THREADS 50

and run the module. We can also set parameter username.

set username root

Unlucky! (Figure 10)

Figure 10. Running mysql_authbypass_hashdump module

Dump MySQL Password Hashes

mysql_hashdump extracts the usernames and encrypted password hashes from a MySQL server. One can then use jtr_mysql_fast module to crack them. The module is located in auxiliary/scanner/mysql. To use it set RHOSTS option to our target’s IP address and increase THREADS value. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module to get your precious results! (Figure 11)

Figure 11. mysql server hashes and usernames

Cracking passwords with John The Ripper

Metasploit offers module jtr_mysql_fast.This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. John the Ripper is a free and Open Source software password cracker, available for many operating systems such as Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. After having acquired mysql hashes with mysql_hashdump module, load jtr_mysql_fast module and run it.

use auxiliary/analyze/jtr_mysql_fast

run

This module offers options such as setting a custom path for john the ripper. The option that interests you the most is the Wordlist option, which is a path to your desired password list (Figure 12).

Figure 12. jtr_mysql_fast module options

Getting the schema

A database schema describes in a formal language the structure of the database, the organization of the data, how the tables, their fields and their relationships between them must be defined and more. In general, database schema defines the way the database should be constructed. Metasploit has the module mysql_schemadump to get MySQL schema. mysql_schemadump is located under auxiliary/scanner/mysql. To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase THREADS value!

Let’s go Phishing

Phishing is an attempt to steal sensitive information by impersonating a well known organization. In the same manner you can trick a user to steal her MySQL credentials. One of the abilities of Metasploit is this, mimic known services and capture user credentials. Among the various capture modules there is a module called mysql. This module provides a fake MySQL service that is designed to capture MySQL server authentication credentials. It captures challenge and response pairs that can be supplied to Cain or John the Ripper for cracking.

To select the capture module type:

use auxiliary/server/capture/mysql

This module offers some interesting options. You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can also set the SRVVERSION option, which is the version of the mysql server that will be reported to clients in the greeting response. This option must agree with the true mysql server version on the network if you don’t want to being detected. You can also configure the module to use SSL! (Figure 13)

Figure 13. mysql capture module options

Run the module and connect to the capture mysql server from another computer on the network to see how it is working. To connect to a mysql server open a terminal and type:

mysql -h ip_address -u root -p

Enter any password, for now, in mysql’s prompt and see what is happening in Metasploit! (Figure 14)

Figure 14. mysql capture module in action

Metasploit has captured the hash and now this hash is stored in cain and john format in files /tmp/john and /tmp/cain. These are the files that I have chosen.

Cain Format

root NULL

94e243cab3181cvef73852s3011651369196a928

112263447569708899agbbfcddneff2113434455 SHA1

John format

root:$mysqlna$1112263447569708899agbb

fcddneff2113434455 *

94e243cab3181cvef73852s3011651369196a928

MySQL Exploiting

MySQL database system is a very secure piece of software. Metasploit doesn’t offer many MySQL exploits. Although some exploits exist.

YaSSL Exploits

YaSSL is a lightweight embedded SSL library. Metasploit offers 2 exploits for this library. The mysql_yassl_getname and the mysql_yassl_hello. The mysql_yassl_getname exploits a stack buffer overflow in the yaSSL 1.9.8 and earlier and mysql_yassl_hello exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier. To use any exploit you have to select it:

use exploit/linux/mysql/mysql_yassl_getname

use exploit/linux/mysql/mysql_yassl_hello

use exploit/windows/mysql/mysql_yassl_hello

As you can figure, the last exploit is for windows systems. After selecting your desired exploit, you have to select the payload. Each exploit offers a variety of payloads. You have to choose the most suitable for your target. To see a list of available payloads for the exploit type (Figure 15):

show payloads

Figure 15. Exploit’s and payload’s options

The most successful exploits usually are the reverse_tcp payloads where the target machine connects back to you. Each payload offers some options. By typing

show options

you will see exploit’s and payload’s options (Figure 16).

Figure 16. mysql_yassl_hello exploit payloads

Other MySQL Exploits

We should mention here two more exploits that are available for MySQL systems that run on Windows servers. The mysql_payload and the scrutinizer_upload_exec. The first exploit, mysql_payload, creates and enables a custom UDF on the target. On default Microsoft Windows installations of MySQL 5.5.9 and earlier, directory write permissions are not enforced, and the MySQL service runs as LocalSystem. This module will leave a payload executable on the target system and the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions. The scrutinizer_upload_exec module exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer, a network traffic monitoring and analysis tool. By default, the software installs a default password in MySQL, and binds the service to “0.0.0.0”. This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of ‘SYSTEM’.

We are in!

And now what? Metasploit offers two modules that will assist you to enumerate a MySQL service or execute sql queries. All you need is a valid user-password pair. mysql_enum allows for simple enumeration of MySQL Database Server and mysql_sql allows for simple SQL statements to be executed against a MySQL instance. To select them, type:

use auxiliary/admin/mysql/mysql_enum

and execute the command

show options

to get a list of available options (Figure 17).

Figure 17. mysql_enum module option

To use mysql_sql execute (Figure 18):

Figure 18. mysql_sql module options

use auxiliary/admin/mysql/mysql_sql

and

show options

Attacking a Microsoft SQL Server

Microsoft SQL Server (MSSQL) is a relational database management system (RDBMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.

Discover open MSSQL ports

MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.

The NMAP way

To discover open MSSQL ports we execute the following command:

nmap -sT -sV -Pn -p 1433 192.168.200.133

Usually administrators, when they need more than one instances of SQL server they run the second instance at port 1434.

nmap -sT -sV -Pn -p 1433,1434 192.168.200.133

Parameters:

-sT: TCP connect scan

-sV: Determine Service version information

-Pn: Ignore Host discovery

-p 1433,1434: Scan port 1433 and 1434

Scanning the whole network

nmap -sT -sV -Pn -–open -p 1433,1434 192.168.200.0/24

Parameters:

--open: Show only open ports

The Metasploit way

Metasploit offers auxiliary module mssql_ping. This module discovers running MSSQL services. To use it, type:

use auxiliary/scanner/mssql/mssql_ping

Type:

show options

for a list of available options (Figure 19).

Figure 19. mssql_ping module options

To discover all running MSSQL services on the net, set RHOSTS value equal to 192.168.200.0/24, assuming that your target network is in this range, increase threads value for a faster scanning and run the module (Figure 20).

Figure 20. mssql_ping module in action

Brute forcing MSSQL

Auxiliary module mssql_login is working in the same manner as mysql_login does. It will query the MSSQL instance for a specific username and password pair. The options for this module are: Figure 21.

Figure 21. mssql_login options

The default administrator’s username for SQL server is sa. In the options of this module, you can specify a specific password, or a password list, a username list or a username-password list where usernames and passwords are separated by space and each pair is in a new line. Having set your options simply run the module and wait for your results! You can create your own password list file, like we did in the first chapter where we used mysql_login module.

Dump MSSQL Password Hashes

mssql_hashdump extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking with jtr_mssql_fast. This module also saves information about the server version and table names, which can be used to seed the wordlist. The module is located in auxiliary/scanner/mssql. To use it set RHOSTS option to our target’s ip address and increase THREADS value to 50. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module! (Figure 22).

Figure 22. mssql_hashdump module

Cracking mssql passwords with John The Ripper

Metasploit offers module jtr_mssql_fast. This module works in the same manner as jtr_mysql_fast does. It uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. After having acquire mssql encrypted hashes with mssql_hashdump module, load jtr_mssql_fast and run it.

use auxiliary/analyze/jtr_mssql_fast

and

run

You should set the Wordlist option which is the path to your desired password list (Figure 23).

Figure 23. jtr_mssql_fast module options

Getting Microsoft SQL Server schema

Metasploit offers the module mssql_schemadump to retrieve MSSQL schema. mssql_schemadump is located under auxiliary/scanner/mssql. This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase the THREADS value to get results faster.

Phishing with MSSQL

Metasploit has also a mssql capture module, called mssql. This module provides a fake MSSQL service that is designed to capture MSSQL server authentication credentials. The module supports both the weak encoded database logins as well as Windows login (NTLM). To select the capture module type:

use auxiliary/server/capture/mssql

You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can configure the module to use SSL (Figure 24).

Figure 24. mssql capture module options

Run the module and connect to the capture mssql server from another computer on the network to see how it is working. To connect to a mssql server open your Microsoft SQL Server management studio and try to login to the running service (Figure 25). Metasploit has captured the username and the password the user entered to login to the fake MSSQL service.

Figure 25. Login attempt captured by mssql capture module

Exploiting the Microsoft world

Metasploit offers some MSSQL exploits. Let’s take a look.

SQL Server 2000

SQL server 2000 is a very old version of Microsoft SQL Server and is hard to find it on Production environments nowdays. ms02_039_slammer exploits a resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. To select it for use simply type:

use exploit/windows/mssql/ms02_039_slammer

Another exploit module for SQL Server 2000 is ms02_056_hello. ms02_056_hello is an exploit which will send malformed data to TCP port 1433 to overflow a buffer and possibly execute code on the server with SYSTEM level privileges. To select it, type:

use exploit/windows/mssql/ms02_056_hello

SQL Server 2000 – SQL Server 2005

ms09_004_sp_replwritetovarbin and ms09_004_sp_replwritetovarbin_sqli exploit a heap-based buffer overflow that occur when calling the undocumented “sp_replwritetovarbin” extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005. To use these exploits you type:

use exploit/windows/mssql/ms09_004_sp_replwritetovarbin

or

use exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli

As with any Metasploit module, you can type

show options

to get a list of available options (Figure 26).

Figure 26. ms09_004_sp_replwritetovarbin_sqli module options

Type

show payloads

to get a list of available of payloads for the selected exploit.

SQL Server database systems

Metasploit offers the module, exploit/windows/mssql/mssql_payload, which executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Three delivery methods are supported. The original method uses Windows ‘debug.com’. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target.

Another interesting exploit module that can be applied in all SQL Server versions is the exploit/windows/mssql/mssql_payload_sqli. This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. You should use a “reverse” payload on port 80 or to any other outbound port allowed on the firewall.

From inside

Metasploit offers various modules that will assist you to enumerate a MSSQL service, execute sql queries, retrieve useful data and many more. All you need is a valid user-password pair. mssql_enum will perform a series of configuration audits and security checks against a Microsoft SQL Server database. mssql_sql and mssql_sql_file will allow for simple SQL statements to be executed against a MSSQL/MSDE or multiple SQL queries contained within a specified file. To select them, type:

use auxiliary/admin/mssql/mssql_enum

or

use auxiliary/admin/mssql/mssql_sql

or

use auxiliary/admin/mssql/mssql_sql_file

and execute the following command to see the options (Figure 27)

show options

Figure 27. mssql_sql_file module options

Sample Data

There is an amazing module called mssql_findandsampledata. This module will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS option. If column names are found that match the defined keywords and data is present in the associated tables, the module will select a sample of the records from each of the affected tables. You have to set the the sample size by configuring the SAMPLE_SIZE option. Your results will be stored in CSV format. Type

use auxiliary/admin/mssql/mssql_findandsampledata

and

show options

Executing Windows Commands

If you have managed to find a valid username – password pair, the most desired thing that you would like to do is to execute a command on the compromised machine. Metasploit offers module auxiliary/admin/mssql/mssql_exec which will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. All you need is the username and password!!

Figure 28. mssql_findandsampledata module options

Data mining

If you need to search for specific information in SQL Server databases there is a module that can make your life easier. Its name, mssql_idf, and you will find it under auxiliary/admin/mssql/. This module will search the specified MSSQL server for ‘interesting’ columns and data. The module is working against SQL Server 2005 and SQL Server 2008 (Figure 29).

Figure 29. mssql_idf module options

Conclusion

Databases are the most important part of today’s computing systems. They usually contain all the information needed to run a company or organization. Therefore it is necessary to be as safe as possible. Metasploit framework is just one tool of many out there, that offers the appropriate scripts to compromise a database system. Databases are software that must be accessed by applications running on the Internet, that’s why they must be guarded by firewalls, use encryption and powerfull passwords and the whole system (database and operating system) must be checked every day for new updates and upgrades. The best choice would be to allow access to your database only from your intranet and/or vpn. Try not to expose your database directly to the web. Close all your database system ports now!

George Karpouzas

George Karpouzas is the co-founder and owner of WEBNETSOFT, a Software development, Computers security and IT services company in Greece. He is working as a software developer for the past seven years. He is a penetration tester, security researcher, information security consultant and software developer at WEBNETSOFT. He holds a bachelor’s of science in computer science from Athens University of Economics and Business. You can find the answers to any security questions on his blog http:// securityblog.gr.