Backtrack has dbpwaudit in /pentest/database/dbpwaudit, however, it does not come with the java jar files required. So, first you have to go download them. The easiest way I found out to do that is by simply searching for the aliases and then googling them. You can get the aliases with the -L option:
[codesyntax lang=”bash”]
user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -L DBPwAudit v0.8 by Patrik Karlsson <[email protected]> ---------------------------------------------------- Oracle - oracle.jdbc.driver.OracleDriver MySQL - com.mysql.jdbc.Driver MSSql - com.microsoft.sqlserver.jdbc.SQLServerDriver DB2 - com.ibm.db2.jcc.DB2Driver
[/codesyntax]
So, basically search for each of the java libraries and save them to /pentest/database/dbpwaudit/lib/
[codesyntax lang=”bash”]
user@HOST:/pentest/database/dbpwaudit$ ls -1 lib/*.jar lib/db2jcc.jar lib/db2jcc_license_cisuz.jar lib/java-getopt-1.0.13.jar lib/mysql-connector-java-5.1.21-bin.jar lib/ojdbc14.jar lib/sqljdbc4.jar lib/sqljdbc.jar
[/codesyntax]
With them installed, you can basically pass several options to dbpwaudit.sh, use -h for help:
[codesyntax lang=”bash”]
user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -h DBPwAudit v0.8 by Patrik Karlsson <[email protected]> ---------------------------------------------------- DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options] -s - Server name or address. -p - Port of database server/instance. -d - Database/Instance name to audit. -D - The alias of the driver to use (-L for aliases) -U - File containing usernames to guess. -P - File containing passwords to guess. -L - List driver aliases.
[/codesyntax]
Assuming I have a db server on localhost and a list of mysql usernames saved in my home directory as mysql-users.txt and a list of passwords to try also in my home directory as mysql-password.txt, this command would audit the mysql server:
[codesyntax lang=”bash”]
./dbpwaudit.sh -s localhost -d mysql -D MySQL -U ~/mysql-users.txt -P ~/mysql-password.txt
[/codesyntax]
and the results:
[codesyntax lang=”bash”]
Results for password scan against localhost using provider MySQL ---------------------------------------------------------------- user: root pass: tARpS?bout11 Tested 17 passwords in 0.33 seconds (51.51515tries/sec)
[/codesyntax]
Sometimes if I used an ip address instead of a domain name, i.e. 127.0.0.1 instead of localhost, I would get this error message “Cannot load connection class because of underlying exception: ‘java.lang.NumberFormatException: For input string: “%port%”‘”. What I found was that I needed to often use a domain name instead of an ip address. So even if you are auditing a remote server, you may need to map a name to the ip address in your /etc/hosts file.
Truthfully, this method of auditing mysql passwords is very noisy and what mysql / systems administrator doesn’t lock down port 3306 anyways or limit where users can connect from?
Leave a Reply
You must be logged in to post a comment.