Comments on: Brute-Force MySQL Password From a Hash

By: trangtriquangcao

trangtriquangcao — Mon, 22 Jun 2020 14:05:39 +0000

I think sql server is usually putted behind some security layers, then bruteforce is not easy

By: lefred

lefred — Thu, 18 Jun 2020 06:45:27 +0000

Me again 😉 For more information about the new default authentication plugin which is much more secure, please read https://mysqlserverteam.com/a-tale-of-two-password-authentication-plugins/

By: lefred

lefred — Wed, 17 Jun 2020 07:29:52 +0000

I also wanted to add that caching_sha2_password authentication plugin uses different hashes for storing password and during authentication.
This means that even if stored hashes are available, one can not use them directly along with packet sniffed from network.
This trick worked on mysql_native_password because same hashing scheme is used to store the password and to authenticate user.
And additionally, it’s always possible to encrypt the mysql system tables if your version supports it: https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html#innodb-mysql-tablespace-encryption-enabling-disabling

Cheers,

By: lefred

lefred — Mon, 15 Jun 2020 18:10:23 +0000

That’s why MySQL 8.0 uses caching_sha2_password authentication by default. As you said, the password can then be recovered in 2.8 years. MySQL 8.0 can add password expiration and account locking 😉
So if you still use the mysql_native_password authentication plugin, it’s time to change it !

By: Mykola Marzhan

Mykola Marzhan — Mon, 15 Jun 2020 12:38:41 +0000

In reply to Ed Greenberg. Hi Ed, MariaDB use just regular `mysql_native_password` plugin, so situation is identical to MySQL 5.7

By: Ed Greenberg

Ed Greenberg — Mon, 15 Jun 2020 11:57:47 +0000

What’s the equivalent situation for Mariadb?

By: Joyal James

Joyal James — Sat, 13 Jun 2020 14:27:10 +0000

How can get the access to database backup,and traffic???

By: Mykola Marzhan

Mykola Marzhan — Fri, 12 Jun 2020 18:44:20 +0000

In reply to René. Yes, you absolutely right, it is also needed to sniff traffic, as described in https://github.com/cyrus-and/mysql-unsha1/blob/master/README.md#the-sniffer sorry for the confusion, I have fixed wording in the "mysql-unsha1 Attack" section.

By: René

René — Fri, 12 Jun 2020 18:16:52 +0000

The patched mysql client is able to connect using sha1(password), while in mysql.user you have sha1(sha1(password))

By: Mykola Marzhan

Mykola Marzhan — Fri, 12 Jun 2020 18:13:00 +0000

In reply to René. No, you need to build patched mysql client https://github.com/cyrus-and/mysql-unsha1/blob/master/README.md#the-patched-mysql-client which able to connect with hash, without plain text password.

By: René

René — Fri, 12 Jun 2020 17:56:37 +0000

Hi Mykola,

Ok, so you still need to brute force the password, so having the hash is not enough “for connecting to a running database”.
Correct?

By: Mykola Marzhan

Mykola Marzhan — Fri, 12 Jun 2020 17:44:51 +0000

In reply to René. Hi Rene! if you have a backup: 1) restore the database from the backup (at least mysql.user table) 2) run mysqld with --skip-grant-tables option 3) dump hashes according to commands in the "Dump Hash" section.

By: René

René — Fri, 12 Jun 2020 17:29:35 +0000

Great article!

According to https://github.com/cyrus-and/mysql-unsha1/blob/master/README.md , access to mysql.user table alone is not enough.
While this article claims that “if a hacker has access to a database backup, he automatically receives all needed information (SHAs)”.

Did I miss something?