Noirchapeau's Gitbook
Noirchapeau
Noirchapeau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Protocol Overview
  • Basic Information
  • MySQL Databases
  • Enumeration and Access
  • Port Scanning
  • Version Detection
  • Authentication Attempts
  • Fingerprinting
  • Common Vulnerabilities
  • Post-Exploitation
  • Data Extraction
  • Privilege Escalation
  • Persistence
  • Mitigation Recommendations
  • Best Practices for Pentesting
  1. Footprinting - Enumeration and Information Gathering Notes

MySQL Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP 3306

  • Protocol Type: SQL Relational Database Management System

  • Purpose: Efficient storage and retrieval of structured data

  • Security: Varies based on configuration and version

MySQL Databases

  • Commonly used in web applications with LAMP/LEMP stacks

  • Stores a wide range of data, including sensitive information like passwords

Enumeration and Access

Port Scanning

# Basic port scan
nmap -p3306 -sV <target>

# Aggressive scan with scripts
nmap -p3306 -sV -sC -A <target>

# All MySQL scripts
nmap -p3306 --script mysql-* <target>

Version Detection

# Using mysql client
mysql -u root -h <target>

# Using Nmap
nmap -p3306 --script mysql-version <target>

Authentication Attempts

# No password
mysql -u root -h <target>

# Known credentials
mysql -u root -pPassword123 -h <target>

# Brute force
hydra -L users.txt -P passwords.txt mysql://<target>

Fingerprinting

# Querying version and system information
mysql -u root -pPassword123 -e "SELECT VERSION(), USER();" -h <target>

# Enumerating databases
mysql -u root -pPassword123 -e "SHOW DATABASES;" -h <target>

# Listing tables in a database
mysql -u root -pPassword123 -e "USE information_schema; SHOW TABLES;" -h <target>

Common Vulnerabilities

  1. Weak Authentication:

    • Default/guessable credentials

    • No password required for root user

    • Insecure password storage

  2. Misconfiguration:

    • Listening on external interfaces

    • Excessive privileges granted

    • Unintended data exposure

  3. Version-specific:

    • CVE-2016-6663 (MySQL < 5.7.12)

    • CVE-2012-2122 (MySQL < 5.1.63)

    • CVE-2015-0548 (MySQL < 5.5.45)

Post-Exploitation

Data Extraction

  • Dump database contents

  • Retrieve sensitive information

  • Identify high-value data

Privilege Escalation

  • Exploit weak permissions

  • Abuse excessive privileges

  • Pivot to other systems

Persistence

  • Create backdoor accounts

  • Install malicious UDFs

  • Modify startup scripts

Mitigation Recommendations

  1. Secure Configuration:

    • Use strong, unique passwords

    • Restrict MySQL access to trusted hosts

    • Implement the principle of least privilege

    • Keep MySQL software up-to-date

  2. Monitoring and Logging:

    • Enable MySQL's built-in audit logging

    • Monitor for suspicious activity

    • Review logs regularly

  3. Network Segmentation:

    • Isolate MySQL servers from the internet

    • Use bastion hosts for remote administration

    • Implement firewall rules to limit access

  4. Data Protection:

    • Encrypt sensitive data at rest and in transit

    • Implement backup and recovery strategies

    • Regularly test incident response and disaster recovery plans

  5. Staff Training:

    • Educate developers on secure coding practices

    • Train administrators on best practices for MySQL security

    • Promote a security-conscious culture within the organization

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify MySQL version and configuration

    • Test default/common credentials

    • Map accessible databases and tables

    • Check for publicly accessible MySQL instances

  2. Enumeration and Discovery:

    • Gather system information (OS, software versions)

    • Enumerate users, roles, and privileges

    • Identify sensitive data stored in databases

    • Look for exposed backup files or configuration details

  3. Exploitation and Post-Exploitation:

    • Attempt SQL injection attacks

    • Abuse excessive permissions and privileges

    • Dump database contents for further analysis

    • Establish persistence through backdoors or malicious functions

  4. Documentation and Reporting:

    • Record all findings, vulnerabilities, and exploitation details

    • Categorize issues by severity and provide recommendations

    • Include evidence such as SQL statements, screenshots, and exported data

    • Suggest remediation steps to improve MySQL security posture

  5. Ethical Considerations:

    • Obtain explicit permission before testing

    • Avoid disrupting production systems whenever possible

    • Limit the scope of testing to authorized targets and activities

    • Respect data privacy and comply with relevant regulations

PreviousMSSQL Pentesting NotesNextSNMP Pentesting Notes