Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Proxies support to creating a session with mysql_login #18854

Merged
merged 1 commit into from Feb 19, 2024
Merged

Add Proxies support to creating a session with mysql_login #18854

merged 1 commit into from Feb 19, 2024

Conversation

sjanusz-r7
Copy link
Contributor

This PR adds in proxy support for getting a mysql session using mysql_login.

Before

msf6 auxiliary(scanner/mysql/mysql_login) > run proxies=socks5:192.168.112.1:1080 rhost=172.17.0.2 rport=3306 stop_on_success=true CreateSession=true username=root password=password verbose=true

[+] 172.17.0.2:3306       - 172.17.0.2:3306 - Found remote MySQL version 8.3.0
[-] 172.17.0.2:3306       - 172.17.0.2:3306 - LOGIN FAILED: root:password (Unable to Connect: connection timeout)
[-] 172.17.0.2:3306       - 172.17.0.2:3306 - LOGIN FAILED: root: (Unable to Connect: connection timeout)
[*] 172.17.0.2:3306       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After

msf6 auxiliary(scanner/mysql/mysql_login) > run proxies=socks5:192.168.112.1:1080 rhost=172.17.0.2 rport=3306 stop_on_success=true CreateSession=true username=root password=password verbose=true

[+] 172.17.0.2:3306       - 172.17.0.2:3306 - Found remote MySQL version 8.3.0
[+] 172.17.0.2:3306       - 172.17.0.2:3306 - Success: 'root:password'
[*] MySQL session 1 opened (192.168.112.1:54174 -> 192.168.112.1:1080) at 2024-02-17 03:10:05 +0000
[*] 172.17.0.2:3306       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
[*] Starting interaction with 1...

MySQL @ 192.168.112.1:1080 () > query 'select version()'
[*] Sending statement: 'select version()'...
Query Result
============

    #  version()
    -  ---------
    0  8.3.0

Wireshark

image

The above screenshot shows the initial session setup using the proxy. No internal Docker IP is ever exposed as the host has no access to the Ubuntu VM Docker IP range.

image

The above Wireshark capture shows the result of running query 'select version()' on the session.

Verification

You might want to ensure that on your host, you have no Docker containers running so that false positives with the same IP on the host and VM are avoided.

  • Start msfconsole on your host
  • Have Docker installed on your Ubuntu VM
  • Set up a MySQL container
  • Get a meterpreter x64 session on your Ubuntu VM
  • in the Framework Console, do route add to add the internal Docker IP from Ubuntu to the routing table (you may be able to call route add 172.17.0.1/24 -1)
  • Set up a socks proxy on the first instance using use socks_proxy
  • Run a second framework instance on your host
  • use mysql_login
  • pass in the proxies= option pointing to your IP and port used by the socks_proxy
  • run proxies=socks5:your_ip:1080 rhost=ubuntu_vm_internal_docker_ip rport=3306 stop_on_success=true CreateSession=true username=root password=whatever_password_you_picked verbose=true

@cgranleese-r7 cgranleese-r7 self-assigned this Feb 19, 2024
@cgranleese-r7 cgranleese-r7 added the rn-enhancement release notes enhancement label Feb 19, 2024
@cgranleese-r7
Copy link
Contributor

Before

image

After

image

cgranleese-r7
cgranleese-r7 approved these changes Feb 19, 2024
View reviewed changes
Copy link
Contributor

@cgranleese-r7 cgranleese-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 👍

@cgranleese-r7 cgranleese-r7 merged commit c2a217e into rapid7:master Feb 19, 2024
35 checks passed
@cgranleese-r7
Copy link
Contributor

cgranleese-r7 commented Feb 19, 2024
edited

Release Notes

This PR adds proxy support for getting a MySQL session via the mysql_login module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgranleese-r7 cgranleese-r7 cgranleese-r7 approved these changes

Assignees

@cgranleese-r7 cgranleese-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sjanusz-r7 @cgranleese-r7