Hack Like a Pro: Linux Basics for the Aspiring Hacker, Part 15 (Creating a Secure Tunnel to MySQL)

Linux Basics for the Aspiring Hacker, Part 15 (Creating a Secure Tunnel to MySQL)

Hack Like a Pro: Linux Basics for the Aspiring Hacker, Part 15 (Creating a Secure Tunnel to MySQL)

Welcome back, my budding hackers!

In my continuing effort to build your basic Linux skills for hacking, I want to show you how to build a secure "tunnel" to MySQL.

Of course, the techniques I use here could be used for any application, but since MySQL is such a critical app on most Linux installations, and since un-encrypted sessions to your MySQL database server could easily be sniffed and confidential information exposed, we'll use our database server as our example in this tutorial.

This is not to say that an encrypted tunnel is foolproof from being hacked. As with anything, it can be hacked, but it makes it many times more difficult. If we leave the data un-encrypted, any script kiddie with a sniffer can see and grab our traffic to our database.

We'll be using SSH or Secure Shell to encrypt our traffic. Every Linux distribution has a SSH server and client built in, unlike Windows where you will need to download one of many SSH clients such as PuTTY. Our BackTrack has BSD OpenSSH built-in, so don't need to download and install anything to build a secure connection between our client and server.

Like so many other applications in Linux, SSH operates on a server/client architecture. To successfully connect, you must have both the server and the client running.

Step 1: Open BackTrack & Start MySQL

MySQL has the capability of using SSH, but you must configure and compile it to do so. Since the default configuration of MySQL, such as ours on BackTrack, does not have SSH built-in, we need to do a workaround using the SSH built into the operating system and then connecting to MySQL. This will create an encrypted "tunnel" to our database, so that hackers can't view our transmissions back and forth to the database.

In our example here, we'll be connecting between two BackTrack installations. I have shown you how to start MySQL from the GUI in the previous Linux basics guide, but in many distributions of Linux you won't have that luxury, so let's start MySQL from the command line.

  • bt > mysql_safe start

Now, let's make certain that it started by checking our processes and "grepping" for mysql.

  • bt > ps aux | grep mysql

Step 2: Generate Keys

In order for SSH to create its encrypted tunnel, it must first generate a key pair, a private key and a public key. These two keys will be used to encrypt and then decrypt the traffic over the tunnel. We can do this by typing:

  • bt >sshd-generate

As we can see, SSH has generated a key pair from which it will now be able to generate our secure tunnel. I have created a user named "nullbyte" on this server that we will use to connect to this machine.

Step 3: Start SSH

From the client machine, we can now connect to that SSH server by typing:

  • ssh -L3316:127.0.0.1:3306 nullbyte@192.168.1.112

Here's a breakdown of what's in the command above.

  • ssh is the client command
  • -L3316 listens on port 3316
  • 127.0.0.1 is the location of the SSH client daemon on the client machine
  • 3306 is the default port of MySQL that we want the tunnel to on the server machine
  • nullbyte is a user on the operating system on the server
  • 192.168.1.112 the IP address of the MySQL server

When we execute this command, we get a connection to the remote machine on nullbyte's account as shown below.

What we have done here is to connect to the SSH client daemon on our client system that then connects via port 3331 to the SSH server that then connects to port 3306 to connect to MySQL.

Step 4: Connect to MySQL Securely

Now that we are securely connected to the server that contains the MySQL database, we can now login to the database over this tunnel. I have a MySQL user named "test4" (not the OS user—we connected via an OS user and we connect to MySQL via a MySQL user) on that database. Let's now login to that user's account.

  • mysql -u test4 -p

As you can see above, we have successfully connected to MySQL over this tunnel! All of the traffic between us and the remote database server is encrypted.

To make certain that we connected to the remote server and not our local database, I created a database on the remote server named "nullbyte".

Let's issue the "show databases;" command from the MySQL prompt.

As you can see, we have connected to the remote database server as it has the "nullbyte" database.

I'm hoping that you are finding these Linux fundamentals tutorials useful as they help to build your knowledge base that is useful for all of your hacking activities. For instance, in the near future, I'll show you how to hack this encrypted tunnel, so keep coming back, my tenderfoot hackers!

Digital tunnel image via Shutterstock

60 Comments

So, another painful question from me, would it be possible to (theoretically of course)

  1. Retrieve the db connection string using SQL map
  2. Use SSH (or socks i suppose depending on the configuration) to make a presisting back door connection to a DB that wouldn't be detected by IDS?

Woahh... Your questions are mind blowing. I would like to get to that level of knowledge on day. Well done.

Wow.

Master otw i had some very stupid quistions

  1. linux is a computer brand right...?

And is it possible to do all that "linux basic" on my windows?
Im pretty confused right now :\

  1. I use backtrack when not in a "virtuel machine" did you have made a video about how you open backtrack in a "virtual machine"? i cant do it

Sebastian:

Yes, you are a bit confused.

Linux is not a computer brand but an operating system. You can not do linux basics in Windows. You do them in linux.

As for opening Backtrack, did you burn it to a disk and have VMWare on your Windows?

OTW

Master Otw
So i cant do the linux things on my windows... When on my backtrack?
and i got my backtrack 5 r3 on a usb not a disk. I just open the backtrack in the bios menu when the computer starts up
When i really want to open it in a vmvare program when i cant xD
Do you got a video how to run backtrack in vmvare?
Sorry for bad english

MASTER OTW
can you put a link in where you donwnloadet your vmare from?
ps i got a windows 7

PLEASE I CANT DOWNLOAD IT I HAD TRIED A LOT OF DOWNLOADS!

Sebastian Nielsen:

Be patient.

ghost_

Simply google vmware workstation or vrtual box.

Otw im so exiting to start hacking when i cant run backtrack in vmvare becouse i cant download it. And yearh ghost maybe im a little bit impatient.

When i just want to know where can i get the vmvare from???
Please send me a link :)

Just forget it.. Its work now :D after some hours try :/
Thanks otw for inspiration citat:
Its not that im so smart
Its just that i stay with problems longer.
Albert einstein

Glad to hear it Sebastian!

I think that Einstein quote is apropos.

Hi OTW.

I do have a question that is a bit of topic here. I recently installed Snort IDS on my Ubuntu 12.04 together with mySQL and Acid Base.

Everything worked fine after installing and configuring. Sadly after restarting my computer, I am unable to connect to the Acid Base by typing http://localhost/acidbase or http://*.*../acidbase. I have checked the /etc/apache2/sites-available/default file to make sure network addresses match, other than that I am unable to think of anything that would sort the issue. Any help will be appreciated. Thank you.

I just have to say a massive thanks to the writer. This series was fantastic, I followed everything with loads of interest. I'll be checking out every single one of your other tuts and I'll be hoping for more in the future.

I really appreciate you doing this, thanks again.

Thanks! That's what i want to say. Thanks again!

Most of the commands proc errors under Kali... mysqlsafe, ssdh-generate. Is there any way to solve this? I'm not really used to Debian.

Sir OTW,
The command
ssh -L3316:127.0.0.1:3306 nullbyte@192.168.1.112
after a long wait gives me this output:
ssh: connect to host 192.168.1.112 port 22: Connection timed out
Is there any problems relate to firewall, Sir?

Duck:

First, are you sure you have connectivity to the server? Can you ping it?

Second, the way you wrote the command in your question, you are trying to connect with the nullbyte user on the server. Did you create a nullbyte user?

A screenshot is always helpful in trying diagnose problems.

OTW

Dera OTW,

First; I want to thank you for this amazing explanation and efforts, this is by far the best place to learn the trade from scratch.

I tried the sshd-generate command but it is saying that command not found. I am using Kali-linux so maybe it is different from Backtrack. I tried the manual to figure it out but no luck.

any idea??

Hi OTW,

New user just joined and currently learning all about BT. Similar problem to Duck ... except Im getting the message - ssh: connect to host 192.168.1.112 port 22: Connection refused - any suggestions as to why?

Thanks

HI OTW,

Im new to BT and I have the same problem as TH3L4WN. I followed the steps but I can't get the connection. Here is the screenshot, any advise on what to do?

Is there an account "nullbyte" @192.168.1.112?

Hi, great series of tutorials, I'm learning a lot in this site!

But in this tutorial I was able to connect with ssh from my Kali to a XP in my virtual lab. But when I try to make a connection to the mysql:

mysql -u TheUser -p

All I get is a blank line in the terminal and nothing happens anymore.

Any Ideas?

It looks like you need to input a password and end with /g to send the command to the mysql server.

ghost_

Thanks GHOST for the attention, I tried that but don't work, with and without /g in the end.

I tried to insert the password directly in the command:

mysql -u TheUser -ppassword

And I get this message, seems to be connected, the problem is Im not seeing nothing after the conection.

mysql -u TheUser -ppassword
Warning: Using a password on the command line interface can be insecure.

And then the blank line... nothing that I type will work.

You may need to specify the host.

mysql -h localhost -u myname -pmypass mydb

This is just having a quick look on the mysql site for information. Link provided in case you wanted to do a little bit of research yourself.

ghost_

Seems that the command is in the background. I can type but nothing is visible, but in the end the commands it's actually working.

I tried to type a invalid command in the end like this:

show databases; \b

And this is the output:

show databases; \b
ERROR at line 1: Unknown command '\b'.
Database
information schema
cdcol
mysql
phpmyadmin
test

I can type show databases; a lot of times and nothing appear. But when I insert the invalid command in the end, the output is displayed with the ERROR and with the list of all the times I typed the show databases; commands.

Maybe it's some Kali issue?

The command: sshd-generate, doesn't work on Kali. What should I do so i can follow along in this tutorial.

Use "ssh-keygen" instead.

Hello OTW!
I followed step by step. I did them twice, but I can't resolve my problem.
I'm trying to connect to the server, but the connection timed out.
I've created the account as you can see from the attached screenshot.
Please, can you help me?

can someone explain further about starting ssh? i need help about creating that 'new user' part. and how can i find the client ip? 127.0.0.1

type ifconfig into your terminal, that will show you the local IP address, just look in the list of devices for the one you are using (wireless is usually wlan0 for me).

Computer:~ grub$ ssh -L3316:127.0.0.1:3306 notroot@192.168.1.3
ssh: connect to host 192.168.1.3 port 22: Connection refused

Anyone ever figure this out? I have tried all users i have created on the server (including "root") and still it gives the same error.

I am having the exact same problem as Daniel Hawkins.

When I run
ssh -L3316:127.0.0.1:3306 root@192.168.0.14
I get
ssh: connect to host 192.168.0.14 port 22: Connection refused

What do I need to do to fix this issue? I would really like to finish this tutorial so that I can move on to the next. Any assistance that could be offered I would appriciate.

Let's start with the simple. Can you ping the remote system?

Yes. I am able to ping the remote system.

I studied and took lots of notes the other night and went through your entire series of Linux basics. I learned so much. Thank you OTW

Hi OTW..
I got stuck on the first command somehow..

root@falcon:/# mysqldsafe start
-----------------------------------------------------------------

150914 01:49:10 mysqldsafe Can't log to error log and syslog at the same time. Remove all --log-error configuration options for --syslog to take effect.

150914 01:49:10 mysqldsafe Logging to '/var/log/mysql/error.log'.
150914 01:49:10 mysqld
safe A mysqld process already exists
------------------------------------------------------------------------------

  1. restarted the service : service mysql restart, no luck after that too..
  2. grepped mysql processes, killed them.. tried again, nothing..
  3. grepped mysql process again, killed them, restarted service.. tried again, nothing..

Kindly Suggest..
will rebooting the system help? just like in windows environment :P

Note that in the first error message it tells you that "Can't log to error log and and syslog...". Then it tells you to remove --logerror from --syslog.

i zipped errlog and syslog and then nullified the originals.

root@falcon:~# du -sh /var/log/mysql/error.log
0 /var/log/mysql/error.log
root@falcon:~# >/var/log/syslog
root@falcon:~# du -sh /var/log/syslog
0 /var/log/syslog

Tried again, Then same thing.

5And Sir,
1.
sshd-generate also didnot work.
But, i ran ssh-keygen , which worked.

Is there any diffrence between sshd-generate and ssh-keygen, seems to me that both are used to generate keys?

____OUTPUT______________
root@falcon:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/idrsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id
rsa.
Your public key has been saved in /root/.ssh/idrsa.pub.
The key fingerprint is: x.x.x.x.x.x.x.x. (removed)
The key's randomart image is:
+---RSA 2048----+
| oo. |
|.Eo.oo . |
|.o.+. o |
|.oo ...o + |
|.. . + S |
| . + . |
| + . |
| o . |
|.o |
+-----------------+

  1. After that, i tried :

ssh -L3316:127.0.0.1:3306 rohit@192.168.1.6

rohit is a local user on my machine.
rohit:x:1000:1001::/home/rohit:/bin/bash

Now, as you instructed : 192.168.1.6 is supposed to be mysql server ip.
do i have mysql server installed? because i think i just have client.
So, what i did here : i used 192.168.1.6 , which is ip on wlan0.

I hope.. i m not lost.

Is there a difference in starting mysql with the command:
mysqldsafe start
and
/etc/init.d/mysql start

on Kali Linux? when i start it with: mysqldsafe start, and i put: ps aux, it doesn't tell me that the process is running.

Also want to know how do i create the user "nullbyte" on the server? And how can i know the IP of the MYSQL server?...sorry for my dumb questions i'm pretty new at this.

Master OTW, I couldn't understand how is the client machine able to access the encryption keys generated at server machine ? Do i need to copy a keyfile from server to client before attempting to make the connection ? If yes, please tell where should i keep the file.

Hello,

I am having the same trouble as Jena Plissken, TH3L4WNM0W3RM4N, and Haitian Duck. I have tried to find a way to get this to work but all I get is the following error:

ssh: connect to host 192.168.1.112 port 22: Connection timed out

This question still hasn't been answered.

I have been following the other tutorials pretty alright but I am generally confused about what this tutorial is doing. I understand it has to do with securing the connection, but how and why? More importantly though, I cannot really move on with these tutorials and basics without understanding how to do this seemingly important security step. If someone could please answer this question.

Hi!
I suffer from the same problem as Trevor Phillips.

ssh: connect to host 192.168.1.112 port 22: Connection timed out

And also have the same questions as Trevor Phillips. Why is it good that we make a secured tunnel, how does it concern me and my activities?

Where do you guys get your information of the following: MySQL IP ,Listener on port,location of the SSH client daemon,MySQL port, ?

Thanks /Isak

help guys ,
can somebody pls explain how is this ssh tunneling working?

i used sshd-generate to generate two keys which are private and public keys, and now i am the client so whatever i will send from my machine to server will be encrypted using public key or private key and how does someone sitting on server going to decrypt (this is somewhat related to rsa mechanism asymmetric encryption) how will he get the key which i generated... and if i am going to send it to him then if its in plain text then it will also get sniffed.

could someone clarify this doubt
any help is appreciated
thank you

hello guys
also i am also unable to proceed with step 3
i am able to ping two machines perfectly

then using the command ssh -L3316:127.0.0.1:3306 root@192.168.15.104 , gives me this error

and i am able to start mysql from my server machine with user as root

one more thing, do i need to generate ssh keys in both the machines , because i tried both the ways its not helping (but i guess its only one side that both the keys are generated) ... pls help me in explaining how this tunneling is working, i tried googling but it is creating so much confusion now

thank you

Where can i get the information such as:
MySQL IP ,Listener on port,location of the SSH client daemon,MySQL port,

In the case of article, the MySQL IP will be another host, same with the port. You will need to configure your SSH as per the instructions in the article.

so i do i need a command to see the information i commented. Before on my post?
or can i acces all that information by configuring my SSH or a nother way... sorry im a bit confused haha XD

You will need the IP address of the MySQL host, and the port number of the MySQL instance on that host.

At step 1 there is a typo.

When the instructions tell us to type in:

mysql_safe start

it should instead be

mysqld_safe start.

Small typo but just in case anyone was having problems with it.

How is this different from sshing into the foreign machine and then using mysql ?

Share Your Thoughts

  • Hot
  • Latest