Skip to content

Explot_Unsecured_MySQL_Database.md

Latest commit

 

History

History
80 lines (52 loc) · 6.03 KB

Explot_Unsecured_MySQL_Database.md

File metadata and controls

80 lines (52 loc) · 6.03 KB

Exploit 2: Unsecured MySQL Database

Discovery Process

Conducted an Nmap scan of the target to identify open ports and running services:

NMAP Scan

Identified the MySQL service running on port 3306, which is commonly used for database connections.

Exploitation:

Attempted to access the MySQL database using the mysql client from the Kali Linux VM.

Initial Command:
MySQL Error_1

When running this command, we encountered the error 2026 (HY000): TLS/SSL error: wrong version number.
This was due to an SSL/TLS version mismatch between the MySQL client and the server.

Fix Applied: To resolve this, the connection was modified to disable SSL by using the --skip-ssl option:

MySQL Fix

This successfully allowed us to bypass the SSL/TLS connection issue and access the MySQL database.

Explanation of Command:

-u root: Specifies the root user to attempt login.
-p: Prompts for a password (used to test the default password or perform a brute-force attack).
--skip-ssl: Disables SSL (Secure Sockets Layer), which resolved the error related to SSL/TLS version mismatch.
-h 192.168.1.184: Specifies the Metasploitable VM's IP address.

No Password Set:
MySQL GainedAccess

Proof of Work:

Upon logging in without specifying a password, the MySQL service allowed access without authentication, as no password had been set.
This highlights the unsecured nature of the MySQL service on Metasploitable, allowing unauthenticated access to the database.

After gaining access, we verified the connection by querying the databases:
MySQL ShowDatabases

Searching for sensitive tables which may contain credentials of users:
MySQL Access Database

Querying the user table to extract usernames and password hashes:
MySQL Access_2

Read Files on the Target:
MySQL_1

Successfully logged in and accessed the MySQL service.

Writing a backdoor (Failed)
BackdoorAttemptFailed
Writing a backdoor (Success)
BackdoorAttemptSuccess

Recommendations for Mitigation:

  1. Enforce Strong Password Policies:

    • Use a minimum password length of 12 characters with a combination of uppercase, lowercase, numbers, and special characters.

  2. Disable Remote Access for MySQL:

    • Modify the MySQL configuration to restrict access to only trusted IP addresses.

  3. Enable SSL/TLS Encryption for MySQL:

    • Configure MySQL to use SSL/TLS encryption to protect data in transit and prevent man-in-the-middle attacks.

  4. Ensure proper configuration of SSL certificates to avoid version mismatches.

    • Use trusted Certificate Authorities (CAs) to issue SSL certificates.

  5. Limit User Privileges:

    • Use least-privilege principles when creating MySQL users, ensuring they only have the necessary permissions.

  6. Use Intrusion Detection and Prevention Tools:

    • Deploy a Network Intrusion Detection System (NIDS) such as Snort or Suricata to monitor database traffic.

  7. Use Rate-Limiting and Intrusion Prevention Tools:

    • Install fail2ban to block IPs after multiple failed login attempts