Backtrack has dbpwaudit in /pentest/database/dbpwaudit, however, it does not come with the java jar files required. So, first you have to go download them. The easiest way I found out to do that is by simply searching for the aliases and then googling them. You can get the aliases with the -L option:
user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -L
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
Oracle - oracle.jdbc.driver.OracleDriver
MySQL - com.mysql.jdbc.Driver
MSSql - com.microsoft.sqlserver.jdbc.SQLServerDriver
DB2 - com.ibm.db2.jcc.DB2Driver
So, basically search for each of the java libraries and save them to /pentest/database/dbpwaudit/lib/
user@HOST:/pentest/database/dbpwaudit$ ls -1 lib/*.jar
lib/db2jcc.jar
lib/db2jcc_license_cisuz.jar
lib/java-getopt-1.0.13.jar
lib/mysql-connector-java-5.1.21-bin.jar
lib/ojdbc14.jar
lib/sqljdbc4.jar
lib/sqljdbc.jar
With them installed, you can basically pass several options to dbpwaudit.sh, use -h for help:
user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -h
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options]
-s - Server name or address.
-p - Port of database server/instance.
-d - Database/Instance name to audit.
-D - The alias of the driver to use (-L for aliases)
-U - File containing usernames to guess.
-P - File containing passwords to guess.
-L - List driver aliases.
Assuming I have a db server on localhost and a list of mysql usernames saved in my home directory as mysql-users.txt and a list of passwords to try also in my home directory as mysql-password.txt, this command would audit the mysql server:
./dbpwaudit.sh -s localhost -d mysql -D MySQL -U ~/mysql-users.txt -P ~/mysql-password.txt
and the results:
Results for password scan against localhost using provider MySQL
----------------------------------------------------------------
user: root pass: tARpS?bout11
Tested 17 passwords in 0.33 seconds (51.51515tries/sec)
Sometimes if I used an ip address instead of a domain name, i.e. 127.0.0.1 instead of localhost, I would get this error message “Cannot load connection class because of underlying exception: ‘java.lang.NumberFormatException: For input string: “%port%”‘”. What I found was that I needed to often use a domain name instead of an ip address. So even if you are auditing a remote server, you may need to map a name to the ip address in your /etc/hosts file.
Truthfully, this method of auditing mysql passwords is very noisy and what mysql / systems administrator doesn’t lock down port 3306 anyways or limit where users can connect from?