Brute-force a MySQL user using a wordlist file.
This fork is a revised version of 0x0mar's fast brute-force program.
Main revisions are:
- Easier command-line usage,
- Adaptability in parsing wordlist formats,
- Thread number default assigned from CPU info,
- Progress counter and stats displayed.
- Linux
./mysql-bruteforce -h <host> -u <username> -f <wordlist_file> [-t <num_threads>] [-p <port>] [-v]
<host>
can be localhost (fastest), a hostname, or an IP address.
There are many wordlists available e.g. Daniel Miessler's.
MAX_WORD_LEN
of 50
is fine for most wordlists. However, some wordlists have borked entries (e.g. long email address). For these wordlists, increase MAX_WORD_LEN
to 140
(or, more precisely, output of wc -L <wordlist>
+ 1), and re-compile to avoid a buffer overrun / segfault.
20 threads appears to be optimal on 4-thread CPUs.
-v
and -vv
can be used for verbosity output.
See MySQL-Brute docs.
- x86 64-bit
- x86 32-bit
Download from Releases.
If libmysqlclient-dev is not installed:
make deps && make && make install
else:
make && make install
(See MySQL-Brute docs for libmysql requirements.)
- 0x0mar (original)
- Tinram (v. 0.02)
- Tim Čas: EOL removal.
- Ben Alpert: microsecond timer.