Jul 092012
 

Backtrack has dbpwaudit in /pentest/database/dbpwaudit, however, it does not come with the java jar files required.  So, first you have to go download them.  The easiest way I found out to do that is by simply searching for the aliases and then googling them.  You can get the aliases with the -L option:

user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -L
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
Oracle - oracle.jdbc.driver.OracleDriver
MySQL - com.mysql.jdbc.Driver
MSSql - com.microsoft.sqlserver.jdbc.SQLServerDriver
DB2 - com.ibm.db2.jcc.DB2Driver

So, basically search for each of the java libraries and save them to /pentest/database/dbpwaudit/lib/

user@HOST:/pentest/database/dbpwaudit$ ls -1 lib/*.jar
lib/db2jcc.jar
lib/db2jcc_license_cisuz.jar
lib/java-getopt-1.0.13.jar
lib/mysql-connector-java-5.1.21-bin.jar
lib/ojdbc14.jar
lib/sqljdbc4.jar
lib/sqljdbc.jar

With them installed, you can basically pass several options to dbpwaudit.sh, use -h for help:

user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -h
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options]
 
	-s - Server name or address.
	-p - Port of database server/instance.
	-d - Database/Instance name to audit.
	-D - The alias of the driver to use (-L for aliases)
	-U - File containing usernames to guess.
	-P - File containing passwords to guess.
	-L - List driver aliases.

Assuming I have a db server on localhost and a list of mysql usernames saved in my home directory as mysql-users.txt and a list of passwords to try also in my home directory as mysql-password.txt, this command would audit the mysql server:

./dbpwaudit.sh -s localhost -d mysql -D MySQL -U ~/mysql-users.txt -P ~/mysql-password.txt

and the results:

Results for password scan against localhost using provider MySQL
----------------------------------------------------------------
user: root	pass: tARpS?bout11
 
Tested 17 passwords in 0.33 seconds (51.51515tries/sec)

Sometimes if I used an ip address instead of a domain name, i.e. 127.0.0.1 instead of localhost, I would get this error message “Cannot load connection class because of underlying exception: ‘java.lang.NumberFormatException: For input string: “%port%”‘”.  What I found was that I needed to often use a domain name instead of an ip address.  So even if you are auditing a remote server, you may need to map a name to the ip address in your /etc/hosts file.

Truthfully, this method of auditing mysql passwords is very noisy and what mysql / systems administrator doesn’t lock down port 3306 anyways or limit where users can connect from?