Brute forcing MySQL passwords

Web servers sometimes return database connection errors that reveal the MySQL username used by the web application. Penetration testers could use this information to perform brute force password auditing.

This recipe describes how to launch dictionary attacks against MySQL servers by using Nmap.

How to do it...

To perform brute force password auditing against MySQL servers by using Nmap, use the following command:

$ nmap -p3306 --script mysql-brute <target>

If valid credentials are found, they will be included in the mysql-brute output section:

3306/tcp open  mysql
| mysql-brute:  
|   root:<empty> => Valid credentials
|_  test:test => Valid credentials

How it works...

The script mysql-brute was written by Patrik Karlsson ...

Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.