Brute-forcing MySQL passwords
There are several methods for obtaining valid MySQL usernames. For example, web servers sometimes return database connection errors that reveal the MySQL username used by the web application. Penetration testers could use this information to perform brute-force password auditing attacks and obtain access to sensitive information if the service is remotely accessible.
This recipe describes how to launch dictionary attacks against MySQL servers with Nmap.
How to do it...
To perform brute-force password auditing against MySQL servers, use the following command:
$ nmap -p3306 --script mysql-brute <target>
If valid credentials are found, they will be included in the mysql-brute
output section:
3306/tcp open    mysql | mysql-brute: |     root:<empty> => Valid credentials |_    test:test => Valid credentials
How it works...
The mysql-brute
script was written...