The H – (International) Fast cracking of MySQL passwords demonstrated. A hacker by the name of Kingcope has found another security problem with the popular MySQL database. Using an already well-known characteristic of the database’s user management, it is possible to significantly increase the speed of a brute force attack. The trick allowed him to test up to 5000 passwords per second over the network if he has some access to the database. For this, the attacker requires an unprivileged account for the database. The script uses that account to log in and then uses the command ‘change_user’ to attempt to change the account during the MySQL session. Unlike presenting the password to the login process, this works with an already established network connection and very quickly rejects incorrect passwords. The hacker used the John The Ripper password cracker to create a password list and has documented the attack with a Perl script and record of a command line session. To crack a four-character password with remote access to the MySQL database took just 20 seconds with over 100,000 character combinations tested.
Ali Loney, on December 04, 2012