Web servers sometimes return database connection errors that reveal the MySQL username used by the web application. Penetration testers could use this information to perform brute force password auditing.
This recipe describes how to launch dictionary attacks against MySQL servers by using Nmap.
To perform brute force password auditing against MySQL servers by using Nmap, use the following command:
$ nmap -p3306 --script mysql-brute <target>
If valid credentials are found, they will be included in the mysql-brute output section:
3306/tcp open mysql | mysql-brute: | root:<empty> => Valid credentials |_ test:test => Valid credentials
The script mysql-brute was written by Patrik Karlsson and it is really helpful when auditing MySQL servers. It performs dictionary attacks to find valid credentials. The success rate will obviously depend on the dictionary files used when running the script.
The MySQL server might be running on a non-standard port. You can set the port manually by specifying the -p argument, or by using Nmap's service detection:
$ nmap -sV --script mysql-brute <target>$ nmap -p1234 --script mysql-brute <target>
The script mysql-brute depends on the NSE libraries unpwdb and brute. These libraries have several script arguments that can be used to tune your brute force password auditing.
- To use a different username and password lists, set the arguments
userdbandpassdb, respectively:$ nmap -p3306 --script mysql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target> - To quit after finding one valid account, use the argument
brute.firstOnly:$ nmap -p3306 --script mysql-brute --script-args brute.firstOnly <target> - To set a different timeout limit, use the argument
unpwd.timelimit. To run it indefinitely, set it to0:$ nmap -p3306 --script mysql-brute --script-args unpwdb.timelimit=0 <target>$ nmap -p3306 --script mysql-brute --script-args unpwdb.timelimit=60m <target>
The brute library supports different modes that alter the username/password combinations used in the attack. The available modes are:
user: For each user listed inuserdb, every password inpassdbwill be tried$ nmap --script mysql-brute --script-args brute.mode=user <target>pass: For each password listed inpassdb, every user inuserdbwill be tried$ nmap --script mysql-brute --script-args brute.mode=pass <target>creds: This requires the additional argumentbrute.credfile$ nmap --script mysql-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>