There is an auxiliary module in Metasploit called mysql_login which will happily query a MySQL
server for specific usernames and passwords.
To start your attack you have to set the RHOSTS option and choose a username and a password if you would like a single login query.
SET RHOSTS 192.168.2.13
Let’s try a classical mysql user, root.
SET USERNAME root
If you leave the password option and pass_file option blank mysql_login will attempt to login to MySQL server with blank password or with the username as password (root). Maybe we are lucky before we start brute-forcing database with a password list.
Using a password list
We can create our own password list, download one from the Internet or use backtrack’s password list /pentest/passwords/wordlists/rockyou.txt.
Let’s create one!
Creating a password list
To create our password list we are going to use crunch. If you are using BackTrack, as I do, crunch
is already installed.
Open Privilege Escalation -> Password Attacks -> Offline Attacks -> crunch.
Otherwise download it from here.
./crunch 6 8 abcde123456 -o passfile.lst
The above command will create passwords between 6 and 8 characters long, consisting of ascii characters a,b,c,d,e and numbers 1,2,3,4,5,6 and all generated passwords will be saved into file passfile.lst.
Using the password list
Now that we have our password list stored in /pentest/passwords/crunch/passfile.lst, we can use it in mysql_login module.
set PASS_FILE /pentest/passwords/crunch/passfile.lst
Increase also the number of concurrent threads for a faster brute-force attack.
SET THREADS 50
mysql_login module offers 2 interesting and useful options, USER_FILE and USERPASS_FILE. You can use a username file list to try various usernames by setting the USER_FILE option accordingly.
With USERPASS_FILE parameter you can use a file which contains both usernames and
passwords in the same file, each username is separated from the password with a space character and each username-password pair is written in a new line.