Nmap - MySQL Enumeration

HackerSploit · Intermediate ·🔐 Cybersecurity ·5y ago

Key Takeaways

The video demonstrates how to perform MySQL enumeration with Nmap, including host discovery, service probing, and brute force attacks to enumerate user accounts and passwords.

Full Transcript

[Music] hello everyone welcome to this video in this video we're going to be taking a look at mysql enumeration now for any of you are not familiar with mysql mysql is a relational database that runs on port 3306 now as mentioned in the previous video when we were talking about smtp enumeration it's not uncommon to see many of these services configured on different ports for various reasons for security or it could be a simple misconfiguration but by default you want to remember these port numbers because many of these services as a best practice are configured to run on their respective port numbers in the event of or in the case of mysql it's going to be port 3306 all right so uh when we talk about mysql enumeration uh there's tons of enumeration you can you can get there's terms of info there's tons of information you can enumerate from the target and one of the most important ones is going to be the users and again based on whether or not you have actual credentials to the mysql database your experience will be slightly different in that when you have uh you know credentials or valid credentials you'll be able to enumerate the tables and stuff like that however in this particular video we're going to go off the assumption that you don't have any credentials and you're trying to gather as much information as possible from the mysql server now in this video we're going to be using and targeting the metasploitable 2 virtual machine the reason i'm doing that is because it actually has a mysql database running on it and again will be it will actually provide us with a good uh a good example here so the first thing we're going to do is i'm just going to list out the various nmap scripts that are available to us regarding mysql so i'll just print that out and we'll say mysql so we have a few scripts as you can see uh each of them is slightly different and again will depend on whether or not you have credentials uh but the most important ones of course are going to be mysql info mysql enum uh we'll also talk about the empty passwords um and we'll also take a look at mysql brute right as i said we are going off the assumption that we don't have credentials and of course we have a vulnerability that and you can search up the cve regarding this particular vulnerability and again as a best practice it is recommend that you always run this cve uh by default in the event that the target service the target mysql server is vulnerable to this type of attack so let's get started with the first script which is the mysql infoscript now the mysql the mysql infoscript will just display you know basic information about the mysql server so for example we'll say mysql 3306 that's the port script and we'll say mysql info right we say mysql info 192.168.1.217 that is the ap for the metaplatable2 box and i'm just going to hit enter and there we are you can see it tells us uh it gives us information regarding the mysql server so the protocol is 10 the version is 5.0.518 this can be very useful for performing vulnerability analysis um you have the capabilities uh listed right over here so you can connect with the database it supports authentication uh supports transactions etc and one uh key thing uh you can see we have the sort here that's very useful when dealing with the passwords uh one key thing uh we need to remember is that the metasploitable 2 virtual machine actually has a instance of php my admin setup so we can actually use that in conjunction with the database to actually make a connection uh but that being said let's actually move on to the second script which is going to be the mysql enum script all right so i'll clear that out and we'll you know use the same command and i'll just replace this and say mysql enum and hit enter and the enum script will pretty much try and enumerate uh user accounts or valid accounts on the the mysql server and it does this by performing a brute force now this is not an effective way of performing a brute force that's primarily because we have a mysql brute script that will allow us to you know configure and customize uh our environment uh and you know environment variables like the amount of threads we want to use so on and so forth uh that being said i want to show you a very cool script here that is uh again is very very useful and that is the mysql um it is the empty password script sorry it's called uh script and it's called mysql empty password and you can pretty much guess what this does so empty passwords uh this script essentially checks to see whether uh the mysql accounts that are currently on the system uh have a null password or do not have a password set at all in that event we can get anonymous access so i'll hit enter and it looks like we need to specify this is empty password here hit enter and there we are so you can see it tells us that the root account has an empty password which means we can log into the mysql database uh using a um using a null password now given that this database is remote in that it's not running on our on our current host operating system we can log in i don't know if this will be supported so we can write mysql user root we say the password or we can actually specify that later we say the host or the remote host is 192.168.1.217 and we say the port is or the password sorry uh we hit enter it's gonna ask us for a password we hit enter for null password you can see it tells us we have an ssl connection error so we might be able to actually log in via phpmyadmin so what i'll do here is i'll just open up my browser my firefox session here and i'll just open up that now the ip the or the web server and i'll bring that up to the screen there we are so we have php my admin um so if i try and log in with the root and hit you know null password that again tells us we don't have access so i'm not sure we got an accurate result there but uh one other alternative that we have is to perform the brute force right so we can actually do that right now so we'll use the mysql brute script so we say nmap port 3306 and we can then say script is going to be mysql root and we need to specify some script arguments so i'll say script args and i'll say mysql root dot threads let's increase the amount of threads we want to use and we'll set this to 100 by the way we can also set our timing template to something like t4 just to keep it nice and speedy because this will take time uh depending um on the amount of uh on the amount of users uh it will have to go through in the default user list um so then i specify the target so 192.168.1.217 and we can actually monitor this with wireshark just to see the credentials that are being sent so i'll hit enter and we'll say sudo wireshark right and because i actually need you know administrative privileges so just hit enter and we'll start capturing the traffic now and yeah we have tons of you can see my sql the mysql protocol here so it looks like we get a response error uh so it tells us uh access denied for the user web uh so yeah we can actually see all the attempts here the brute force attempts that are being sent so we see access denied for the user test uh access denied for the user looks like this one that's just the banner yeah so again we can just continue the scan and if we check the progress this is going to take a while based as i said on the amount of users and whether or not those users will be on the system uh and of course the various uh the the credentials that we'll actually get for those particular users so uh we'll just go back to wireshark and let's see the responses we're getting uh so we see we have the user sysadmin uh we keep getting responses invalid responses or connection here uh let's see uh anyway what i'm gonna do so there we are we have another access denied for the user net admin um so what i'm going to do is i'm just going to let this brute force complete and i'll get back to you when it's done when we have some results all right so the brute force is complete and you can see we have some very very interesting information and number one you can see we actually get the various accounts and the account names and their passwords in this case you can see we have uh both null passwords which means we can probably log in without entering a password and you know for both of these credentials for both of these user accounts and their relevant credentials you can see we actually get the the notice uh telling us that these are valid credentials now uh it seems that there's an issue when i try and log in with or i try and log in remotely using the mysql client in that there is an ssl connection error or something wrong with the certificate that's probably because this box is like i don't know 10 years old or something so we can probably try and log in via uh via php my admin so we'll try root again and no password at all and that tells us again access denied which is pretty weird i think we can probably change the password um so let's try guest with no password because that was a valid credential and there we are we have access now uh so what we can do is let's try and uh see what we can do now that we have access here so um you can see that we've got to privileges here uh all right so as the guest user we have all privileges all right so again this is because primarily uh the metasploitable toolbox is designed to be intentionally vulnerable but what we can do for the root user or given the fact that we have all privileges we can probably um we can probably use this but you can see that we don't need to provide a password here but for the root user let's actually change that so you can see we have all uh we have all permissions and for the password we can say something like i don't know password one two three and password one two three you know just something really simple so that we can actually test this stuff out so i'll try and log in we say password one two three try and log in and there we are we can now access using the root user and we can use phpmyadmin to actually modify or play around with the database table so for example we have the metasploit database here we have the mysql database [Music] which is just a standard mysql database we have tiki wiki so again we can we can pretty much go through all the various databases that are currently on the system and as you can see the brute force essentially gave us information regarding the accounts that were on the system and then again given the fact that this box had no password at all it was fairly simple to come to the conclusion that we can probably log in with one of those accounts and then again i was able to to change the password for the root user and log in appropriately uh that being said if i go to into sql sorry mysql database and i click on user here uh yeah so it looks like the user gets a hashed password uh when we set it and uh what is the current hash being used so it's probably md5 or it has a password value here or a password function i'm not really sure what which version this is i probably need to perform some research on that uh that being said uh that's all i wanted to cover in regards to mysql enumeration uh there's a ton of information you can gather and you'll all depend on uh you know the credentials you have and whether or not you're starting off with or without credentials in my case i was able to perform a certain level of exploitation again given the results i was able to get and you know you can actually see how important performing mysql enumeration is that being said that's going to be it for this video and i'll be seeing you in the next video [Music] you

Original Description

In this video, I demonstrate how to perform MySQL enumeration with Nmap. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. To learn more about Nmap and how it's used in penetration testing and network mapping, check out our comprehensive course on Nmap for penetration testing: https://www.udemy.com/course/nmap-for-penetration-testing/?couponCode=4E9FF9403325C6ECB3C7 Our videos are also available on the decentralized platform LBRY: https://lbry.tv/$/invite/@HackerSploit:26 SUPPORT US: Patreon: https://www.patreon.com/hackersploit Merchandise: https://teespring.com/en-GB/stores/hackersploitofficial SOCIAL NETWORKS: Twitter: https://twitter.com/HackerSploit Instagram: https://www.instagram.com/hackersploit/ LinkedIn: https://www.linkedin.com/company/18713892 WHERE YOU CAN FIND US ONLINE: HackerSploit - Open Source Cybersecurity Training: https://hackersploit.org/ HackerSploit Forum: https://forum.hackersploit.org HackerSploit Academy: https://www.hackersploit.academy LISTEN TO THE CYBERTALK PODCAST: Spotify: https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7 We hope you enjoyed the video and found value in the content. We value your feedback. If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms. Thanks for watching! Благодарю за просмотр! Kiitos katsomisesta Danke fürs Zuschauen! 感谢您观看 Merci d'avoir regardé Obrigado por assistir دیکھنے کے لیے شکریہ देखने के लिए धन्यवाद Grazie per la visione Gracias por ver شكرا للمشاهدة #Nmap
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from HackerSploit · HackerSploit · 0 of 60

← Previous Next →
1 How To Install Kali Linux 2.0 On Virtual Box
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
2 100 Subscriber Q&A! - How I Learned Ethical Hacking
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
3 BlackArch Linux Review - Better Than Kali Linux?
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
4 How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
5 Wireshark Tutorial for Beginners - Installation
Wireshark Tutorial for Beginners - Installation
HackerSploit
6 Wireshark Tutorial for Beginners - Overview of the environment
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
7 Wireshark Tutorial for Beginners - Capture options
Wireshark Tutorial for Beginners - Capture options
HackerSploit
8 Wireshark Tutorial for Beginners - Filters
Wireshark Tutorial for Beginners - Filters
HackerSploit
9 Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
10 Complete Ethical Hacking Course #2 - Installing Kali Linux
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
11 Parrot OS 3.5 Review | The Best Kali Linux Alternative
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
12 Nmap Tutorial For Beginners - 1 - What is Nmap?
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
13 Katoolin | How To Install Pentesting Tools On Any Linux Distro
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
14 Nmap Tutorial For Beginners - 2 - Advanced Scanning
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
15 Nmap Tutorial For Beginners - 3 - Aggressive Scanning
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
16 Zenmap Tutorial For Beginners
Zenmap Tutorial For Beginners
HackerSploit
17 How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
18 How To Setup Proxychains In Kali Linux - #2 - Change Your IP
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
19 How To Change Mac Address In Kali Linux | Macchanger
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
20 How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
21 Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
22 VPN And DNS For Beginners | Kali Linux
VPN And DNS For Beginners | Kali Linux
HackerSploit
23 Tails OS Installation And Review - Access The Deep Web/Dark Net
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
24 Steganography Tutorial - Hide Messages In Images
Steganography Tutorial - Hide Messages In Images
HackerSploit
25 The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
26 Best Linux Distributions For Penetration Testing
Best Linux Distributions For Penetration Testing
HackerSploit
27 Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
28 Gaining Access - Web Server Hacking - Metasploitable - #1
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
29 Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
30 How To Install Kali Linux On VMware  - Complete Guide 2018
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
31 Q&A #1 - Best Cyber-security Certifications?
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
32 Terminator - Kali Linux - Multiple Terminals
Terminator - Kali Linux - Multiple Terminals
HackerSploit
33 Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
34 Q&A #2 - Mr Robot?
Q&A #2 - Mr Robot?
HackerSploit
35 Metasploit Community Web GUI  - Installation And Overview
Metasploit Community Web GUI - Installation And Overview
HackerSploit
36 Linux Expl0rer - Forensics Toolbox - Installation & Configuration
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
37 QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
38 Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
39 Metasploit For Beginners - #2 - Understanding Metasploit Modules
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
40 Kali Linux Quick Tips - #1 - Adding a non-root user
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
41 Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
42 Spectre Meltdown Vulnerability  - How To Check Your System
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
43 Metasploit For Beginners - #4 - Basic Exploitation
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
44 ARP Spoofing With arpspoof - MITM
ARP Spoofing With arpspoof - MITM
HackerSploit
45 WordPress Vulnerability Scanning With WPScan
WordPress Vulnerability Scanning With WPScan
HackerSploit
46 Generating A PHP Backdoor with weevely
Generating A PHP Backdoor with weevely
HackerSploit
47 Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
48 How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
49 Stacer - System Optimizer And Monitoring Tool For Linux
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
50 Kali Linux 2018.1 - Kernel Updates & Patches
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
51 MITM With Ettercap - ARP Poisoning
MITM With Ettercap - ARP Poisoning
HackerSploit
52 Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
53 How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
54 Channel Updates - How To Post Questions & Video Suggestions
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
55 Web App Penetration Testing - #1 - Setting Up Burp Suite
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
56 Web App Penetration Testing - #2 - Spidering & DVWA
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
57 Cl0neMast3r - GitHub Repository Cloning Tool
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
58 Kali Linux On Windows 10 Official - WSL - Installation & Configuration
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
59 DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
60 Web App Penetration Testing - #3 - Brute Force With Burp Suite
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit

This video teaches how to use Nmap to perform MySQL enumeration, including host discovery, service probing, and brute force attacks to enumerate user accounts and passwords. It also covers how to use Wireshark to capture and analyze network traffic.

Key Takeaways
  1. Run the mysql infoscript to display basic information about the MySQL server
  2. Use the mysql enum script to try and enumerate user accounts on the MySQL server by performing a brute force attack
  3. Specify script arguments to customize brute force attack
  4. Monitor traffic with Wireshark to capture credentials sent during brute force attack
  5. Use PHPMyAdmin to attempt login with empty password
  6. Log in to MySQL database using valid credentials and change root password
💡 Nmap can be used to perform MySQL enumeration, including host discovery, service probing, and brute force attacks to enumerate user accounts and passwords, and Wireshark can be used to capture and analyze network traffic.

Related Reads

📰
FBI Botnet Takedown Highlights IoT Security Risks Amidst Robust Web3 Development
The FBI's botnet takedown highlights IoT security risks, learn how to protect your devices amidst Web3 development
Dev.to AI
📰
N Mistakes I Made with HashiCorp Vault and AWS Secrets Manager in 2026
Learn from common mistakes made with HashiCorp Vault and AWS Secrets Manager to improve your secrets management and avoid pipeline stalls
Dev.to · isabelle dubuis
📰
Your PDF tool is storing your files. Here's proof.
Be cautious when using free online PDF tools as they may store your files, compromising your privacy
Dev.to · Muhammad Arbaz
📰
Ethical Hacking vs Cyber Security: Which Career is Better in 2026?
Learn the difference between ethical hacking and cybersecurity careers and which one is better in 2026
Medium · Cybersecurity
Up next
DPDPA India for CISOs – A pragmatic approach to essentials vs. hearsay
AKITRA
Watch →