How to Enumerate MYSQL Database using Metasploit – Kali Linux Tutorial

Cyber reconnaissance is the most significant phase to stimulate an attack. Without any prior knowledge of a victim and the weaknesses that can help to exploit the target, the attack could not be successfully generated.

Talking about target, Cyber world is not entirely an internet but a lot more than that. It is an entity of independent networks containing telecommunication networks, databases, smart devices and web applications. There are different tricks and techniques to exploit each of them depending upon the information we get after reconnaissance.

Exploiting database is a key target for cyber criminals due to a valuable information storage and a number of loopholes including deployment failures, broken databases, data leak, stolen database backup, lack of segregation, SQL injections and database inconsistencies.

Any information related to database is advantageous to an attacker when it comes to generate an attack.  Whether the information is about the version of database or the structure of database can render more juicy information to plan a strategy. If the version of database is outdated, it can be easily attacked through finding a suitable exploit. Moreover, weak credentials of low secure databases can help to use credential reusability or brute-forcing credentials to compromise highly secured database. Lastly getting knowledge of the schema of database is vital to perform SQL injection attack.

So today we are going to enumerate some of this information related to MYSQL database. We will use Metasploit framework as it includes many effective auxiliary modules to easily exploit the target. Use Metasploit framework via Kali Linux and target Metasploitable2 to observe the output.

Scanning

The first ever step of reconnaissance is scanning the target. It will determine if the MYSQL database is running on victim’s machine. As we know it runs on port 3306, use Nmap with the target’s IP to scan the target:

# nmap 192.168.0.101 -p 3306

Scanning

It shows that MYSQL is running on the target and the port is open.

Its time to enumerate this database and get information as much as you can collect to plan a better strategy.

Execute Metasploit framework by typing msfconsole on the Kali prompt:

msfconsole

Search all modules of MYSQL that can be helpful to generate an exploit. Type search mysql:

MYSQL

MYSQL1

It listed a number of modules. As of now we are only concerned with the auxiliary scanners.

Cracking the Credentials

Let’s try mysql_login module first to crack some valid credentials of the MYSQL. Type use command to load the module:

Use auxiliary/scanner/mysql/mysql_login

Cracking the Credentials

Type options to see the current settings of this module:

current settings

Now create a file including a list of common usernames. I just prepared a short list for the demonstration purpose but in real, publicly available longer lists have been used to crack the credentials. Name it as you want:

credentials

Add some common usernames and save it:

common usernames

Again, create a file containing common passwords. Usually a longer list has been used but as it will take more time to complete the module, we will keep it short.  Add the passwords and save the file:

containing common passwords

containing common passwords

Set the created files i.e. ehacking_user.txt and passwords.txt to read the usernames and passwords from these files:

As MYSQL gives permission to login with a blank password therefore set this option true to check for blank passwords:

permission to login

Set the target IP address. Use setg command to set this option globally since we are going to execute all modules on the same target:

set command

All settings are done now run the module by typing exploit:

typing exploit

typing exploit1

This module tries all the possible combination provided from the text files of usernames and passwords. It extracts some of valid logins while trying the combinations.

So far it can be seen that only ‘root’ and ‘guest’ are the valid logins and they are using blank passwords. This can be tricky as it takes some time to crack the credentials but eventually it is not impossible to get the desired output.

Use MYSQL Enumerator to get the Information

The sql-enum module automatically enumerates useful information about the database i.e. server information, version, data directories and many other options that can be easily configured in MYSQL.

Let’s get started by loading the module:

MYSQL Enumerator

Once the module is loaded type show options to see the current setting of this module.

module is loaded

It shows that the target IP has already set as, previously we used the global option. The port number is set as default now the only thing remaining to be configured is the username. Set the username as ‘root’ or ‘guest’ since we already know MYSQL allows to login from these usernames with blank password. Set this option globally:

Now run the exploit:

Now run the exploit

It enumerates the information including version name, server host name, data directory, SSL connection state and many more which will be helpful to the attacker.

Dump Database Schema

The mysql_schemadump module used to dump schema information of the database. Schema is nothing but a blueprint of a database referring information about the design of database and the organizational details of number of rows and columns. This can help to find the key information of the database in the reconnaissance phase.

Load the module and type show options to see configuration:

Every entity is set so now let’s run the module:

Every entity

Every entity 1

Every entity 2As mentioned earlier, it will give a lot of juicy information about the schema and Metasploit could save the loot into a text file to provide convenience.

Find Hashes of MYSQL Passwords

The next module we will try is the mysql_hashdump module simply gather password hashes if it finds in a database. This module is very useful in pivoting to other systems, indicating reusability of passwords and gaining root access to another system.

Load the module and type show options:

MYSQL PasswordsAgain, all the parameters are already set now run the module:

It can be seen that it saves the hashes as loot after completion. Since our target does not have a password set, this returns nothing, and we don’t get any hash.

Execute SQL Queries

The last module we will use is mysql_sql, that can run SQL queries in the Metasploit framework.

Load the module and see the current options:

Execute SQL Queries

SQL Queries

Every parameter is set except we need to configure the SQL query and run it against the target. The most familiar command while connecting to a database is ‘show databases’ that will list down all the possible databases to use:

First, set the option to sql show databases:

option to sql

Run the module:

And there you go, getting a bunch of different databases available in this instance of MYSQL.

We have used a number of Metasploit Auxiliary modules to extract valuable information of MYSQL Databases. These modules help us to crack the credentials, getting schema information, creating a list of password hashes and other important information which can be used to exploit the target and perform several malicious activities including SQL Injection.

Irfan Shakeel
Irfan Shakeel, the founder of ehacking project, he also hosts cyber security training classes at EH Academy. He has discovered many vulnerabilities in the famous platforms (like Google, Dailymotion, Harvard University & etc.). He specializes in Network hacking, VoIP pentesting & digital forensics. He is the author of the book title “Hacking from Scratch”.

Most Popular

Top 5 Techniques Hackers Use to hack Social Media Accounts

These days, Social Media have become a significant need in our everyday life. It encourages us to associate and connect with anyone over the...

5 Top Programming Languages for Hacking

We live in the 21st century, which is very fast-changing. This is a century of competition for information and computing resources. Every year the...

OSINT Tutorial to Track An Aircraft And Flight Information In Real-Time

No doubt Internet is said to be the world's largest repository of data and information. It contains an enormous amount of data related to...

Preventing SQL Injection in PHP Applications

SQL injection is one of the most common cybersecurity threats and as the name suggests, it is a form of injection attack. Injection attacks, on...