Sunday, 15 January 2012

Brute Forcing MySQL

I just did my first nmap scan against the Metasploitable Virtual Machine. There are several open ports and a lot of services running on the VM. Here is a listing of the services found by nmap:


21/tcp open ftp ProFTPD 1.3.1

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

First I wanted to execute some brute-force attacks against the MySQL database that is running in Metasploitable. There are different ways of brute-forcing it, but your scanner is just as good as you're wordlist or wordcombination files for usernames and passwords are (here are username and password lists for a first shot).

As password list, I'm using elitehacker.txt.bz2 provided by and I defined six different users:

root@bt:~/test_environment/brute_force# cat username.txt 

I inserted also all of these six users and a blank line into the elitehackers.txt password file.

1. Using Metasploit

#search mysql
#use auxiliary/scanner/mysql/mysql_login
#show options
#set RHOSTS <Target IP>
#set USER_FILE /root/<your_username_file>
#set PASS_FILE /root/<your_password_file>

The verbose mode is set by default to true, so you can see all login attempts. This is not very convenient, because of two reasons:

a) If the brute force attempt is successful you have to scroll back the whole list of attempts to find the login as there is no summary after finishing the mysql_login module (can be very nasty).
b) The actual scan time is decreasing dramatically. When I was scanning with verbose set to true, it took me 5 Minutes and 5 Seconds. After deactivating verbose mode, the scan was done in 2 Minutes and 5 Seconds.

Conclusion => #set VERBOSE false

2. Using THC Hydra

#hydra -L /root/<your_username_file> -P /root/<your_password_file> <IP> mysql

3. Result

So here is an overview of the results (all scans were executed with the same user- and passwordfile).

mysql_login (verbose mode activated)5 Minutes 5 Seconds
mysql_login (verbose mode deactivated)2 Minutes 5 Seconds
THC Hydra4 Minutes 8 Seconds

It was just a very small brute-forcing attack (5.412 username/password combinations), but Metasploit took almost 25% more time than Hydra with the same wordlists when verbose mode is activated in mysql_login.

If verbose mode is deactivated it is by far the most effective way to brute force mysql.

I don't know if this will scale in the same manner if the brute force attack will have more combinations, but the mysql_login module of Metasploit seems more efficient for mysql brute forcing than THC Hydra.

So let's check this finding manually:

So now we have another login, for a new attack :-)

1 comment:

  1. Spectro Group of Companies is the India #1 Testing Laboratory which is provide the calibration service, Inspection service, mechanical Testing, water testing, food testing, trainig program, project consultency, etc and all type of testing service.