Brute Force with Databases

HexorBase is a fairly decent utility, but if it’s not very useful, it’s at least guaranteed fun for many DBAs and SysOps who like to take a peek at others’ systems.

The developer himself refers to HexorBase as a “hacker tool” (???), and also as a database administration tool for multiple vendors (???). Truth be told, it’s neither one nor the other.

But HexorBase is a tool that offers:

– Database discovery: You provide a range of IPs, and it scans them to see if any database is “listening.” Who hasn’t used a PORT SCANNER at some point? So, up to this point, it’s just a port scanner, but dedicated to finding RDBMS. I managed to find MySQL, Oracle, PostgreSQL, and SQL Server.

– SQL Frontend: Another thing this tool does competently is act as a SQL frontend for the databases mentioned, without needing to configure anything or download a bunch of annoying JDBC/ODBC drivers. It’s plug-and-play ;-). Just point it to the RDBMS, connect, and bingo, you can run your queries. I had no trouble running queries on these databases, even using keywords and hints specific to each one.

– Brute Force: Ah! You were waiting for this part, right? Yes, it has a brute force feature that tries to discover user passwords based on patterns and dictionaries. I tested it with several common passwords that users love to use—especially newbie Java programmers and PHP devs. With weak passwords, it worked and I got access to the databases. But if you’re paranoid like me, with a password like: @w0217ma8)(->vi187$@#, this little toy will never crack it. So this feature is just for fun.

– Proxies and advanced connection techniques via protected networks: This part I liked. I managed to connect via tunnels, proxies, and subnets. Points for it.