In this guide, I will show how an attacker can perform a Postgres brute force attack on a target system to gain access to a database.
Postgres is an advanced, commercial-grade relational database system that is free and open-source. Both SQL (relational) and JSON (non-relational) queries are supported by PostgreSQL.
Postgres is a highly robust database, PostgreSQL has been developed by the open-source community for more than 20 years.
Numerous web, mobile, and analytic applications are all using PostgreSQL as the default database.
Requirements
- PC running Kali Linux.
- Target system (In this guide we will be attacking a Metasploitable vulnerable server).
- Port scanner (For this guide we will use Nmap).
- Metasploitable
- Patator
- Ncrack
- xHydra
- Metasploit
Using Nmap to scan the target system
The first step to performing a Postgres brute force attack is scanning our target system to determine whether the Postgres service is running.
Using Nmap, we can check for a specific open port or check for open ports within a specific range. To check for open ports we will use the below command.
nmap <TARGET IP>
We can view the target system's open ports after the scanning is completed as shown in the image above. Postgres service runs on the open port 5432 which we want to perform Postgres brute force attack on. The below command can be used to perform additional reconnaissance to find out which version of Postgres is running on the target system.
nmap -sV <TARGET IP>
As shown in the image above, we can see the Postgres version running on the target system which is 8.3. Such information is important to a penetration tester since he/she can use it to determine the already known vulnerabilities of that specific version using an online vulnerabilities database. Having all the collected information, we can now launch a Postgres brute force attack using various tools.
1) Patator
Patator is a multi-threaded tool written in Python and it strives to be more reliable and flexible than other brute forcing tools. It is useful for making brute force attacks on several ports such as FTP, HTTP, POSTGRES, SMB, etc.
To perform a Postgres brute force attack, two fields are required: username and password file. To launch a brute force attack on Postgres service using patator, we will use the below command.
patator pgsql_login host=172.17.0.2 user=FILE0 0=/home/kali/Desktop/username.txt password=FILE1 1=/home/kali/Desktop/passwd.txt
- pgsql_login - specifies the script to use on this brute force attack.
- host - specifies the IP of the target system.
- user (File0) - specifies the file containing the usernames.
- password (File1) - specifies the file containing the passwords.
After providing the required information, we can now run the command, sit back, and wait for the attack to complete. When the attack completes, we can see valid login details found in the lists we used as shown in the image below.
2) Ncrack
Ncrack is a utility for quickly brute forcing network authentication. It was developed to assist organizations to handle network security by proactively analyzing all hosts and network infrastructure for weak security.
To perform a Postgres brute force attack using Ncrack, we just require a single command.
ncrack -v -U /home/kali/Desktop/username.txt -P /home/kali/Desktop/passwd.txt 172.17.0.2:5432
Here,
- -v - used to increase the verbosity level.
- -U - specifies the location of the username list.
- -P - specifies the location of the password list.
After we indicate the location of the lists we will use for the attack, we can now start the attack and wait for Ncrack to find the valid login credentials as shown in the image below.
3) xHydra
This is the graphical version of Hydra. One of the advantages of using the Hydra graphic version while performing a Postgres brute force attack is that it is very easy to use even for beginners.
Specify Target
The first step to brute force the Postgres password is to provide details of the target system. On this, we will provide the IP address of the host, the port to launch our attack on, and the target service on the system as shown in the image below.
Provide Password List
After providing the target details, the next step is to provide the path for our username list and the password list that will be used while performing the Postgres brute force attack as shown in the image below.
We can now run the attack after providing all the required details and wait for xHydra to find the login credentials as shown in the image below.
4) Metasploit
To launch a Postgres brute force attack on a target system while using Metasploit, we are required to have two files: the username list and the password list. As taught in an earlier guide, we can generate our lists using the Crunch utility which comes pre-installed on Kali Linux. It is always advisable to use filtered word lists to reduce the time taken for the brute force attack to complete.
After having the files required we can launch Metasploit using the below command.
msfconsole
On Metasploit, we want to provide the information required before launching a Postgres brute force attack as shown in the image below. i.e. host, port, exploit to be used, and the password list to be used for the brute force attack after which we run to start the attack.
We sit back and let the attack run. After some trials, we get a notice for a correct password that was found on the word list as shown in the image below.
uUing the generated lists, we are able to get valid Postgres login credentials for the target system.
Conclusion
In the above guide, we have performed a Postgres brute force attack on a vulnerable target system. Postgres, being among the most commonly used relational database system, is a target for bad actors. As a penetration tester, knowing how to perform a Postgres brute force attack on a system will be useful as you carry on your penetration tests on different systems.
