Part 1.3 Scanners

Video Activity

In this final video in the series on scanners, Dean provides some examples of using scanners to collect info on databases installed on a target. Again, a broad, top down approach is taken where the type of database and its version are initially gathered. From there, the scanning progresses to a more detailed level where actual exploits are attempte...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In this final video in the series on scanners, Dean provides some examples of using scanners to collect info on databases installed on a target. Again, a broad, top down approach is taken where the type of database and its version are initially gathered. From there, the scanning progresses to a more detailed level where actual exploits are attempted such as generic queries, dumping credentials, and obtaining the database schema.

Video Transcription
00:06
>> Let's move on to another method of gathering
00:06
information from our target host.
00:06
We saw that we were running a MySQL database
00:06
>> as part of the scan.
00:06
>> Actually, I can just see that easier.
00:06
>> Go back to services.
00:06
>> It's thinking about it.
00:06
>> The services that are closed are showing up.
00:06
Again, I will try my command line option.
00:06
I can say services -u.
00:06
That just shows me the ones that are up
00:06
and MySQL, here we go.
00:06
It automatically came back and did the banner grabbing,
00:06
>> showed me my version number.
00:06
>> I could also try to get this in different ways.
00:06
For instance, I could do a search for MySQL,
00:06
>> see what's available.
00:06
>> Something simple like the version number, here we go,
00:06
>> auxiliary scanner/mysql/mysql_version.
00:06
>> Sorry, mouse is misbehaving a little bit there.
00:06
There we go. I already have this information.
00:06
I'm just proving the point that it actually does
00:06
work as a standalone tool.
00:06
My RHOSTS value is set.
00:06
I can just run exploit.
00:06
Good, it matches up 5.0.51a.
00:06
I've got other things too.
00:06
There's an excellent exploit for MySQL payload.
00:06
There's lots of other things to think about here,
00:06
>> generic queries.
00:06
>> Try to do some arbitrary query on a system
00:06
>> trying to login to the MySQL instance.
00:06
>> If you can gather credentials for that,
00:06
that would be a good find.
00:06
I do have other options
00:06
and set it for things like databases.
00:06
We know we also have
00:06
>> a Postgres database on this system.
00:06
>> I can do a search for Postgres.
00:06
I want to gather some more information
00:06
about that database.
00:06
Should give me a bunch of things to consider.
00:06
I've got some administrative modules here.
00:06
I also have some scanners.
00:06
I can start with something simple like the version.
00:06
Even though I have this information,
00:06
I'm just proving that you can get it in other ways.
00:06
Back out of that.
00:06
I want to use Postgres version.
00:06
I already know what the password is,
00:06
so I could set that here.
00:06
I think I will, so set password postgres.
00:06
Now I can run the exploit and see what it gives me.
00:06
I get a really nice detailed bit of information
00:06
about this particular database.
00:06
What else can I do?
00:06
Let's see if I can do a hashdump.
00:06
It will give me the hashes of passwords
00:06
>> that I'm allowed to see with my privilege level.
00:06
>> Let's see what that gets us.
00:06
Show my options again.
00:06
Always get in the habit of doing this
00:06
so you don't leave something out.
00:06
Again, I can see that I want to set my password.
00:06
This is the danger of having
00:06
>> default configurations with the system,
00:06
>> could be running for years like this
00:06
>> without anybody knowing that
00:06
>> this default password is a big vulnerability.
00:06
Now I'm able to get the hash for the Postgres user.
00:06
What else can I get since I have credentials?
00:06
Schemadump, that looks interesting.
00:06
>> Let's see if that works.
00:06
>> If I know what the schema looks like,
00:06
now I can certainly have more opportunities
00:06
for interacting with that database,
00:06
changing it, or doing other things,
00:06
which may be to the advantage of the pen tester.
00:06
Again, I have to set my password.
00:06
Everything else looks to be correct.
00:06
I'll run the exploit, a dig in this schema,
00:06
>> but it looks like the database is just very simple,
00:06
>> maybe one table or something very basic.
00:06
If it was more complicated,
00:06
then I would see more tables being shown,
00:06
but at least you get some idea of what's possible here.
Up Next