Brute force a MySQL user using a wordlist file.
MySQL Brute was created for MySQL localhost account recovery e.g.
PLESK-managed MySQL admin user is a candidate.
./mysqlbrute --help / no switches
./mysqlbrute -h <host> -u <username> -f <wordlist_file>
./mysqlbrute -h localhost -u wordpress -f top_100000.txt
Download a password-only wordlist e.g. Daniel Miessler's (others can be username:password combinations).
Alternatively a simple wordlist for testing can be the Linux dictionary (Debian path):
./mysqlbrute -h localhost -u <username> -f /usr/share/dict/words
MAX_WORD_LEN
of 50
in mysqlbrute.c is okay for most wordlists. However, some wordlists have borked entries (e.g. long email addresses included). For such wordlists, increase MAX_WORD_LEN
to 140
(or more precisely, the output of wc -L <wordlist_file>
+ 1), and re-compile the source to avoid the resultant buffer overrun / segfault.
Other options:
-p <port_number>
Download the executables from Releases.
MySQL Brute churns through approximately 20,000 passwords per second (vanilla Core i3 desktop CPU) on a Unix localhost socket connection – considerably faster than the Bash and Python scripts I tried before creating MySQL Brute (and curiously, faster than the vaunted multi-threaded Hydra). However, when using a network connection, MySQL Brute is much slower – around 1,000 per second on a local network.
MySQL Brute's speed bottlenecks are:
mysql_real_connect()
),If more speed is needed, there is 0x0mar's multi-threaded Mysql-bruteforce or my fork of this.
hydra -l wordpress -P top_100000.txt -t 4 -F localhost mysql
(As per the example in Usage, using 4 threads, ~1,050 tries per second on a Core i3.)
Nmap has a MySQL attack script which cycles through common usernames.
On the same Core i3:
Statistics: Performed 50009 guesses in 9 seconds, average tps: 5556
Unless you intimately know the MySQL set-up on a remote server, some of MySQL's configuration can silently (and righteously) impede MySQL Brute.
First attempt to connect to a remote MySQL connection from the terminal (use any random input when prompted for password):
mysql -h <ip_addr> -u wordpress -p
ERROR 1045 (28000): Access denied for user 'wordpress'@'host' (using password: YES)
... shows MySQL is accepting remote user connections.
ERROR 2003 (HY000): Can't connect to MySQL server on 'host' (111)
... will be the bind address locked to localhost or a blocking firewall rule, or both.
bind-address = 127.0.0.1
(my.cnf; if line present: comment out with #
, then restart mysqld)skip-networking
(my.cnf – disables TCP/IP; if line present, comment out with #
, then restart mysqld)mysql> SELECT host, user FROM mysql.user;
+-------------+------------+
| host | user |
+-------------+------------+
| localhost | wordpress |
| 10.0.0.% | xyz |
+-------------+------------+
... no remote connection permitted for user wordpress, but local network access for user xyz.
mysqlbrute ... -p 3307
)pgrep mysql
– no number output means mysqld is not running). make deps && make && make install
(Assumes libmysqlclient-dev and libssl-dev libraries are not installed.)
Ensure the libmysqlclient-dev and libssl-dev dependencies (from distro repo) are installed:
locate libmysqlclient-dev
locate libssl-dev
If locate
does not find each library, install on Debian-based distros with:
make deps
or:
sudo apt install libmysqlclient-dev libssl-dev
In the directory containing either the clone or the extracted zip files, compile with GCC:
make
or:
GCC:
gcc mysqlbrute.c $(mysql_config --cflags) $(mysql_config --libs) -o mysqlbrute -Ofast -Wall -Wextra -Wuninitialized -Wunused -Werror -std=gnu99 -s
Clang:
clang mysqlbrute.c $(mysql_config --cflags) $(mysql_config --libs) -o mysqlbrute -O3 -Wall -Wextra -Wuninitialized -Wunused -Werror -std=gnu99 -s
Delete makefile and rename makefile_mariadb to makefile.
make deps && make && make install
or:
sudo apt install libmariadb-dev libssl-dev
make
(h0ek also specifies libmariadb-dev-compat as a dependency; in testing on Ubuntu 18.04 this library was not required for compilation, but it may well be in other scenarios.)
or:
GCC:
gcc mysqlbrute.c $(mariadb_config --cflags) $(mariadb_config --libs) -o mariabrute -Ofast -Wall -Wextra -Wuninitialized -Wunused -Werror -std=gnu99 -s
MySQL Brute will rapidly enlarge the MySQL error log files:
general_log
variable enabled)(locations for Debian-based distros)
It may be more convenient for MySQL Brute to be available from any directory location via the $PATH system variable (rather than copying the executable file to the directory where needed).
make install
Or move the mysqlbrute executable to a location such as /usr/local/bin (location must be present in $PATH).
MySQL Brute is released under the GPL v.3.