Saturday, July 24, 2010

MySQL Security Assesment Script in BT4

So this is a short write up on using the MySQL security Assessment Script
by Carlos Perez

Of course you will need a mysql database to target.
If you want a pre-made setup then get the metasploitable package.

Grab some shell and navigate to the /pentest/database/mysqlaudit/ directory.
Then just run the command with no options.

-----------------------------CODE---------------------------------------

root@bt:/pentest/database/mysqlaudit#./mysqlaudit.py

MySQL Security Assesment Script Version 1.0

By: Carlos Perez, carlos_perez[at]darkoperator.com
USAGE:
python ./mysqlaudit.py Targer IP User Password Report


Target : The system you whant to do the assement on, port 3306 should be open.
User : User account with DBA privelages on the server to use for the assesment.
Password : password for the user account.
Report : Name of text file to wich to write the report.

-----------------------------CODE--------------------------------------

Simple enough the only thing you will need of course is the log-on credentials.
This time we will run the scan against our metasploitable setup and see what happens.

-----------------------------CODE--------------------------------------

root@bt:/pentest/database/mysqlaudit# ./mysqlaudit.py 192.168.2.103 root root /tmp/msqlauditreport.txt
root@bt:/pentest/database/mysqlaudit#

-----------------------------CODE--------------------------------------

So in order to see what our report shows we can either open it with a text editor or we can cat the output back to the screen.
Since the report is quite long I will only show a little of it here.
-----------------------------CODE--------------------------------------

root@bt:/pentest/database/mysqlaudit# cat /tmp/msqlauditreport2.txt | less

Severity: High

Description:

MySQL authentication is based on usernames and passwords stored in a table

called mysql.user. To create a user, a row is added to this table. MySQL
also supports wildcards and blank values in the USERNAME and HOST fields of
the table. By indicating a blank username and a blank password, you allow
anonymous access to the MySQL database.
Solution:

To remove the anonymous user, run the following commands:
shell> mysql -u root [password]
mysql> DELETE FROM mysql.user WHERE User = '';

Anonymous user was found

User Connection Location
anonymous ---->localhost
anonymous ---->ubuntu804-base

-----------------------------CODE-------------------------------------

As you can tell there is a high level flaw in our setup.
So this tool will allow the Penetration tester to target mysql databases and will determine some basics when it comes to the security of the system.

Have fun.

1 comment:

Anonymous said...

lololololololol whitehat !