Web servers sometimes return database connection errors that reveal the MySQL username used by the web application. Penetration testers could use this information to perform brute force password auditing.
This recipe describes how to launch dictionary attacks against MySQL servers by using Nmap.
To perform brute force password auditing against MySQL servers by using Nmap, use the following command:
$ nmap -p3306 --script mysql-brute <target>
If valid credentials are found, they will be included in the mysql-brute
output section:
3306/tcp open mysql | mysql-brute: | root:<empty> => Valid credentials |_ test:test => Valid credentials
The script mysql-brute
was written by Patrik Karlsson and it is really helpful when auditing MySQL servers. It performs dictionary attacks to find valid credentials. The success rate will obviously depend on the dictionary files used when running the script.
The MySQL server might be running on a non-standard port. You can set the port manually by specifying the -p
argument, or by using Nmap's service detection:
$ nmap -sV --script mysql-brute <target>$ nmap -p1234 --script mysql-brute <target>
The script mysql-brute
depends on the NSE libraries unpwdb
and brute
. These libraries have several script arguments that can be used to tune your brute force password auditing.
userdb
and passdb
, respectively:$ nmap -p3306 --script mysql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
brute.firstOnly
:$ nmap -p3306 --script mysql-brute --script-args brute.firstOnly <target>
unpwd.timelimit
. To run it indefinitely, set it to 0
:$ nmap -p3306 --script mysql-brute --script-args unpwdb.timelimit=0 <target>$ nmap -p3306 --script mysql-brute --script-args unpwdb.timelimit=60m <target>
The brute
library supports different modes that alter the username/password combinations used in the attack. The available modes are:
user
: For each user listed in userdb
, every password in passdb
will be tried$ nmap --script mysql-brute --script-args brute.mode=user <target>
pass
: For each password listed in passdb
, every user in userdb
will be tried$ nmap --script mysql-brute --script-args brute.mode=pass <target>
creds
: This requires the additional argument brute.credfile
$ nmap --script mysql-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
3.137.183.210