Use Cain to crack MYSQL database passwords

The MYSQL Database User Password is the same as the password of other database users. It appears in plain text in the application system code. After obtaining the file read permission, it can be directly read from the database connection file, for example, conn in asp code. asp database connection file, which generally contains information such as the database type, physical location, user name, and password; in MYSQL, even if you obtain the password of a user's database user (except the root user), you can only operate on data in a user's database.

In the actual attack and defense process, when obtaining Webshell, you can directly download the MYSQL database to retain the user. MYD file, which stores the database passwords of all users in the MYSQL database. As long as the passwords can be cracked, the data can be operated brightly, although there are many ways to change the user password of the MYSQL database on the Internet, it is not available because the change of the user password is easy to find!

It is of great significance to study the encryption and decryption methods of MYSQL databases in the Process of Network Attack and Defense. If you can obtain the permissions of a website and save user data in MYSQL, after decryption, you can access the database through normal channels. On the one hand, you can directly operate on the data in the database, and on the other hand, you can use it to improve permissions. By searching for information on the Internet, there are currently not many studies on cracking MYSQL. This article is a reference, although the effect is not particularly good, however, it is also an attempt to crack the password of a MYSQL database.

(1) MYSQL Encryption Method

There are two methods to authenticate the password for the MYSQL database. MYSQL 4.1 and later versions are encrypted by MYSQLSHA1, and MYSQL database comes with Old_Password (str) and Password (str) functions, which can be queried in the MYSQL database. The former is MYSQL323 encryption, and the latter is MYSQLSHA1 encryption.

(1) encryption using MYSQL323

SELECT Old_Password (bbs.antian365.com );

Query Result: MYSQL323 = 10c886615b135b38

(2) encryption using MYSQLSHA1

SELECT Password (bbs.antian365.com );

MYSQLSHA1 = * a2ebae36132928537ada8e6d1f7c5886713cc2 execution result 1 shows that MYSQL323 encryption generates 16-bit strings, while MYSQLSHA1 contains 41-bit strings, * is not included in the actual password calculation. By observing that many users carry "*", remove "*" in the actual cracking process. that is to say, the actual number of BITs encrypted by MYSQLSHA1 is 40 bits.

Figure 1 query SHA values of the same password in the MYSQL database

(2) MYSQL database file structure

1. MYSQL database file type

There are three types of MYSQL database files: "frm", "MYD", and "MYI". ". frm" is a file that describes the table structure,

". MYD" is the table data file, and ". MYI" is the data tree of any index in the table data file. Generally, a folder exists separately. The default path is under "C: Program FilesMYSQLMYSQL Server 5.0data.

2. MYSQL Database User Password File

All settings in the MYSQL database are saved in "C: Program FilesMYSQLMYSQL Server 5.0dataMYSQL" by default, that is, under the data Directory of the installation Program, as shown in 2, the user has a total of three files: user. frm, user. MYD and user. MYI and MYSQL database user passwords are stored in user. the MYD file contains the password of the root user and other users.

Figure 2 MYSQL Database User Password File

(3) cracking MYSQL passwords

1. Obtain the MYSQL database user password encryption string

Open user directly using the UltraEdit-32 editor. the MYD file is opened and viewed in binary mode. As shown in figure 3, a string is displayed after the root user, and these strings are selected to copy them to notepad, these strings are user-encrypted values, namely 506d1427f6f61696bda-1445c90624892136dae3.

Note:

(1) do not copy "*" after root to a string.

(2) In some cases, you need to look at it later. Otherwise, the obtained MYSQLSHA1 password is not complete. In short, the correct password number is 40 bits.

Figure 3 obtain the encrypted string

2. Add the MYSQL user password string to the Cain cracking list

This document uses Cain & Abel to crack the password of a MYSQL database user, cain & Abel is a host that can crack screen saver, PWL password, shared password, cache password, remote Shared Password, SMB password, support for VNC password decoding, Cisco Type-7 password decoding, and Base64 password decoding. SQL Server 7.0/2000 password decoding, Remote Desktop password decoding, Access Database Password decoding, Cisco PIX Firewall password decoding, Cisco MD5 decoding, NTLM Session Security Password decoding, IKE Aggressive Mode Pre- integrated tools such as Shared Keys password decoding, Dialup password decoding, and Remote Desktop password Decoding, it also supports remote cracking, Dictionary mounting, and brute-force cracking. Its Sniffer function is extremely powerful, and almost all account passwords can be captured in plain text, including FTP, HTTP, IMAP, POP3, SMB, TELNET, VNC, TDS, AND SM TP, MSKERB5-PREAUTH, MSN, RADIUS-KEYS, RADIUS-USERS, ICQ, IKE Aggressive Mode Pre-Shared Keys authentications and so on.

The latest version of Cain & Abel is 4.9.30. Software: http://www.newhua.com/soft/53494.htm. Download Cain & Abel, install it directly, run it, and click the "Cracker" tab on the main interface of Cain & Abel, add the encrypted string "506d1427f6f61696bda-1445c90624892136dae3" to the MYSQL Hashes cracking list, as shown in 4, click "Add to list", as shown in 5, and copy the string to the Hash input box. Username can be input at will.

Figure 4 Use Cain to crack the MYSQL password Main Interface

 

Figure 5 add MYSQL Hashes

3. dictionary cracking

6. Select the string to be cracked you just added, select "Dictionary Attack (Dictionary cracking)", and select "MYSQL SHA1 Hashes" in the pop-up menu for cracking, this method is intended for later versions of MYSQL. For versions earlier than MYSQL, select MYSQL v3.23 Hashes for cracking.

Figure 6 select a Cracking Method

After Dictionary Attack is selected, a window is displayed, which is used to select a Dictionary, as shown in Figure 7. Right-click a Dictionary and you can add one or more Dictionary files, after selecting the dictionary, you can select it in Options and click Start to crack the dictionary.

Figure 7MYSQL dictionary cracking settings

Note:

There are eight methods in Options:

(1) uppercase letters of a string

(2) string Inversion

(3) double string

(4) All strings are in lowercase.

(5) All strings are capitalized.

(6) Add a number to the string

(7) rotate uppercase letters in each string

(8) after adding two numbers to the string to crack the string successfully, Cain will give some prompts, as shown below:

Plaintext of user is databasepasswordAttack stopped! 1 of 1 hashes cracked

Indicates that the encrypted password is "databasepassword ". Return to the main Cain cracking window, the cracked Password value is automatically added to the "Password" column, as shown in 8 for easy viewing.

Figure 8 password cracked

 

(4) Discussion on cracking 1. dictionary cracking is related to dictionary strength

Choose Start> program> MYSQL Server 5.0> MYSQL Command Line Client to open the MYSQL Command Line Client and enter the password, enter the following code to reset a new password:

Use MYSQLupdate user set password = password ("1977-05-05") where user = "root"; flush privileges;

In this test, change the original password to "", as shown in result 9.

Figure 9 modifying the MYSQL user password

Use the UltraEdit-32 software to re-open "C: Program FilesMYSQLMYSQL Server 5.0dataMYSQLuser.MYD" to obtain its new password string "Birthday", and then re-select a dictionary, in this example select the generated birthday dictionary, 10. As shown in Figure 11, only lower-case strings are selected for cracking, and the results are quickly obtained. The actual results show that Cain is used to crack the MYSQL password. If dictionary cracking is used, the cracking effect is related to the dictionary strength. As long as the cracked password is in the dictionary, it will be able to crack.

Figure 10 cracking the MYSQL password again

 

Figure 11 modify the MYSQL password and crack the MYSQL password again

2. Use a rainbow table for cracking

In Cain, we also provide the rainbow table cracking function for MYSQL. In the cracking method, select "Cryptanalysis Attack"-"MYSQL SHA1 Hashes via RainbowTables", as shown in Figure 12, in the actual test process, because the sha rainbow table format provided on the network is RTI and RT is used in Cain, I changed the file Suffix of all downloaded rainbow tables from RTI to RT, then crack the table and prompt that the information is not displayed successfully. The format of the rainbow table is different. Cain only recognizes the information it provides.

Figure 12 using the rainbow table Cracking Method

 

Figure 13 use a rainbow table for cracking

3. Hash Calculator

Various Hashes calculations are provided in Cain. Click the computer icon on the main interface to bring up the Hashes calculator. In "Text to hash", enter the original value to be converted, for example, enter "12345678" and click "Calculate" for calculation. 14 Hashes values are displayed, as shown in figure 14.

Figure 14 calculate the Hashes Value

4. Generate a rainbow table

Run Winrtgen in the installation directory C: Program FilesCainWinrtgen of Cain, as shown in Figure 15. This tool is a rainbow table generator, which can easily generate various types of rainbow table values.

Figure 15 Winrtgen rainbow table Generation Tool

5. Set a rainbow table

In Figure 15, click "Add Table" and select "MYSQLsha1" in the "Rainbow Table properties" Hash ", then, you can set the values of "Min Len", "Max Len", "Index", "Chain len", "Chain Count", and "N of tables" based on the actual situation, generally, you only need to set the values of "Min Len", "Max Len", and "N of tables. "N of tables" is mainly used to test the completeness of Hashes generation. If you enter different values, the percentage is displayed in Table properties.