Let’s go Phishing

Phishing is an attempt to steal sensitive information by impersonating a well known
organization or website. In the same manner you can trick a user to steal her MySQL credentials.
One of the abilities of Metasploit is this, mimic known services and capture user credentials. Among the
various capture modules there is a module called mysql.
 

This module provides a fake MySQL service that is designed to capture MySQL server authentication credentials. It captures challenge and response pairs that can be supplied to Cain or John the Ripper for cracking.
 

Configuration & Testing
 

To select the capture module type:

use auxiliary/server/capture/mysql

This module offers some interesting options. You can set CAINPWFILE option to store captured
hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave
SRVHOST option as it is, 0.0.0.0, to listen on the local host.
 

You can also set the SRVVERSION option which is the version of the mysql server that will be reported
to clients in the greeting response. This option must agree with the true mysql server version on the network, if you don’t want to be detected.
 

You can also configure the module to use SSL!
 

Run the module and connect to the capture mysql server from another computer on the network
to see how it is working.
 

Connect to mysql server
 

To connect to a mysql server open a terminal and type:

mysql -h ip_address -u root -p

Enter any password, for now, in mysql’s prompt and see what is happening in Metasploit!

Metasploit has captured the hash and now this hash is stored in cain&abel and john format in files
/tmp/john and /tmp/cain which I have chosen.
 

Formats
 

Cain Format
root NULL 94e243cab3181cvef73852s3011651369196a928
112263447569708899agbbfcddneff2113434455 SHA1
 

John format
root:$mysqlna$1112263447569708899agbbfcddneff2113434455 *
94e243cab3181cvef73852s3011651369196a928
 

Published in Hakin9 magazine on October 25, 2012

%d bloggers like this: