Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

In this final video in the series on scanners, Dean provides some examples of using scanners to collect info on databases installed on a target. Again, a broad, top down approach is taken where the type of database and its version are initially gathered. From there, the scanning progresses to a more detailed level where actual exploits are attempted such as generic queries, dumping credentials, and obtaining the database schema.

Video Transcription

00:04
Okay, so
00:07
let's let's move on to, uh, another method of gathering information from
00:12
our target host. So we saw that we were running my sequel database
00:19
as part of the scan I shot. Could just see that easier
00:23
go back to service is
00:29
it's thinking about it.
00:34
All right, so now
00:35
the service is that are closed or showing up.
00:38
So what up again? I will try my command line option.
00:43
I can say Service's dash You That's just shows me the ones that are up
00:47
and
00:50
my sequel. Here we go
00:54
and it automatically came back and did the banner Graham and showed me my version number. But I could also try to get this in different ways. For instance, I could
01:04
do a search for my sequel, see what's available.
01:11
Something simple, like the version number here ago.
01:15
Auxiliary scanner. My sequel in my sequel version.
01:26
All right, Mouse is misbehaving a little bit there.
01:30
Here we go.
01:34
I already have this information just proving the point that it actually does work
01:40
as a standalone tool by our host. Value is set
01:45
and I can just run, exploit.
01:49
All right, good. It matches up 5051 eh?
01:55
I've got other things to liken. There's an excellent, uh,
01:57
exploit for my sequel. Payload.
02:01
There's lots of other things to think about here,
02:05
huh?
02:06
Engineer queries. So trying to do some kind of arbitrary query on a system trying to log into the my sequel Instance. If you could gather credentials for that, that would be a good
02:17
a good find.
02:21
So you have other options inside for things like databases. So we know we also have a post rest database on this system
02:30
so I can do a search for Post Crest.
02:34
I want to gather some more information about that database.
02:42
Should give me a bunch of things to consider.
02:45
All right. So I've got some
02:47
administrative, uh,
02:51
modules here also have some skinners,
02:55
so I could start with something simple. Start with something simple, like the version. Even though I have this information just proving that you can get it in other ways.
03:06
Back out of that.
03:07
And I want to use post press version
03:16
now. I already know what the password is, so I could set that here,
03:23
and I think I will so set password
03:27
post GREss.
03:30
I can run the exploit and see what it gives me.
03:34
So I get a really nice, detailed in from a bit of information about,
03:38
uh, this particular database.
03:40
What else can I do?
03:43
Uh, let's see if I can do a hash dump
03:47
now. It's only gonna
03:50
probably give me the
03:53
well. Not probably will give me the the hashes of passwords that I'm out that I'm allowed to see with my privilege level.
04:00
So let's see what that gets us.
04:05
Show my options again. Always getting a habit of doing this so you don't leave something out. All right again, I can see that I want to send my password.
04:15
This is the danger of having default configurations.
04:18
This system could be running for years like this without anybody knowing that this default passport is a big vulnerability.
04:29
All right, so now I've been able to get the hash
04:32
for the post crest user.
04:36
What else can I get since I have credentials,
04:42
uh, scheme a dump? That looks interesting. We'll see if that works.
04:47
I know what the scheme it looks like now. I can
04:50
certainly have more opportunities for
04:55
interacting with that database, changing it or doing other things which may be
04:59
to the advantage of the Manchester.
05:02
All right again, I have to set my password.
05:10
Everything else looks to be correct,
05:14
so I'll run the exploit.
05:17
All right. So ridiculous scheme about that. Looks like the database is just very simple. Maybe one table or something. Very basic. If it was more complicated than I would see more tables being shown,
05:29
but you get some idea of what's possible here.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor