Brute forcing MySQL

There is an auxiliary module in Metasploit called mysql_login which will happily query a MySQL
server for specific usernames and passwords.

To start your attack you have to set the RHOSTS option and choose a username and a password if you would like a single login query.


Let’s try a classical mysql user, root.


If you leave the password option and pass_file option blank mysql_login will attempt to login to MySQL server with blank password or with the username as password (root). Maybe we are lucky before we start brute-forcing database with a password list.

Using a password list
We can create our own password list, download one from the Internet or use backtrack’s password list /pentest/passwords/wordlists/rockyou.txt.

Let’s create one!

Creating a password list
To create our password list we are going to use crunch. If you are using BackTrack, as I do, crunch
is already installed.

Open Privilege Escalation -> Password Attacks -> Offline Attacks -> crunch.
Otherwise download it from here.


./crunch 6 8 abcde123456 -o passfile.lst

The above command will create passwords between 6 and 8 characters long, consisting of ascii characters a,b,c,d,e and numbers 1,2,3,4,5,6 and all generated passwords will be saved into file passfile.lst.

Using the password list
Now that we have our password list stored in /pentest/passwords/crunch/passfile.lst, we can use it in mysql_login module.

set PASS_FILE /pentest/passwords/crunch/passfile.lst

Increase also the number of concurrent threads for a faster brute-force attack.


mysql_login module offers 2 interesting and useful options, USER_FILE and USERPASS_FILE. You can use a username file list to try various usernames by setting the USER_FILE option accordingly.

With USERPASS_FILE parameter you can use a file which contains both usernames and
passwords in the same file, each username is separated from the password with a space character and each username-password pair is written in a new line.

Published in Hakin9 magazine on October 25, 2012

%d bloggers like this: