Author Topic: How to recover a MySQL Password? (Read 37880 times)

Stoic Joker · « **on:** November 02, 2015, 09:22 AM »

Well I managed to goof, and somehow forgot to document the password for one of our MySQL servers. So I'm looking for password recovery options to try and minimize the impact of forcing my way back into the account. If it helps any ... The pw is stored in a copy MySQL workbench, so hopefully there are 2 possible angles of attack.

I do not want to just reset the password, because of the ripple chasing potential.

Any ideas?

Ath · « **Reply #1 on:** November 02, 2015, 12:47 PM »

If all went 'well', not the password is stored, but only a hash of it. Not knowing the hash method will make recovery very hard, especially if a generated password is used. Resetting the password may be the only plausible solution.

f0dder · « **Reply #2 on:** November 02, 2015, 01:12 PM »

The pw is stored in a copy MySQL workbench, so hopefully there are 2 possible angles of attack.
-Stoic Joker (November 02, 2015, 09:22 AM)

"Stored"? As in, you can start the workbench, and it will authenticate against the database? Then it should definitely be possible to extract.

Or, do the sensible thing: export a dump, remove MySQL, and restore to a Postgres

Renegade · « **Reply #3 on:** November 02, 2015, 01:33 PM »

If all went 'well', not the password is stored, but only a hash of it. Not knowing the hash method will make recovery very hard, especially if a generated password is used.
-Ath (November 02, 2015, 12:47 PM)

A rainbow table attack could work. Very fast and efficient. The only problem is downloading the rainbow tables, but that should just be a matter of searching.

Other than that (or the dump method), I suppose you could write a program or script to brute force the password if you can come up with a set of passwords or password patterns that you usually use.

If you use patterns, e.g. <somebody's name><4 digits><2 symbols><obligatory curse word>, and know that each of those has 10 possibilities that you usually use, then you can store them all in a database and do a cross join to get the full set to use in a brute force attack. I've done it before, and it's pretty effective. Or you can just write up a program to do the cross join from string arrays for you. That's just a bunch of nested loops, so it's probably about as fast to write a custom program as to actually do it from a database.

However, I don't know of any MySQL password recovery tools.

Stoic Joker · « **Reply #4 on:** November 02, 2015, 03:13 PM »

If all went 'well', not the password is stored, but only a hash of it. Not knowing the hash method will make recovery very hard, especially if a generated password is used. Resetting the password may be the only plausible solution.
-Ath (November 02, 2015, 12:47 PM)

Shit... That's what I'd originally thought, but was hoping I was wrong.

The pw is stored in a copy MySQL workbench, so hopefully there are 2 possible angles of attack.
-Stoic Joker (November 02, 2015, 09:22 AM)
"Stored"? As in, you can start the workbench, and it will authenticate against the database? Then it should definitely be possible to extract.
-f0dder (November 02, 2015, 01:12 PM)

Yes ... But as to how to go about extracting it, I've not a clue.

The second part I may consider down the road, if Postgre is also free...and has the same level of readily available documentation. Is there a specific issue with MySQL that you're picking at here?

Other than that (or the dump method), I suppose you could write a program or script to brute force the password if you can come up with a set of passwords or password patterns that you usually use.
-Renegade (November 02, 2015, 01:33 PM)

Um... No. As I have a feeling I deviated radically from the mnemonics I usually use for this system.

Ath · « **Reply #5 on:** November 02, 2015, 03:44 PM »

Yes ... But as to how to go about extracting it, I've not a clue.
-Stoic Joker (November 02, 2015, 03:13 PM)

I assume, by context and fodder's creds, the extract is targeted at the data, not the password

After all, you won't need that password after you switch to Postgresql

f0dder · « **Reply #6 on:** November 03, 2015, 06:16 AM »

Yes ... But as to how to go about extracting it, I've not a clue.
-Stoic Joker (November 02, 2015, 03:13 PM)

It might be possible by doing a memory dump, or by sniffing network traffic while connecting to the database. Also, I'd be surprised if there isn't a tool out there somewhere to do it, but a few quick google searches just gave me "reset root password" stuff.

The second part I may consider down the road, if Postgre is also free...and has the same level of readily available documentation. Is there a specific issue with MySQL that you're picking at here?
-Stoic Joker (November 02, 2015, 03:13 PM)

Gratis and Libre, and not entangled in whOracle's nasty tentacles - also a proper database, and one I see much fewer horror stories about on our techies mailing-list than MySQL/MariaDB

f0dder · « **Reply #7 on:** November 03, 2015, 06:30 AM »

Right, took a look at the MySQL Workbench sourcecode - passwords seem to be stored in workbench_user_data.dat, protected with the CryptProtectData WIN32 API - without any application-specific entropy. So it should be pretty trivial to decrypt - as long as you have access to the user account the workbench was run from

Also, from my quick spelunking it looks like the passwords are kept unencrypted in memory, so a process memory dump should also work, although there's the needle/haystack issue with that.

Stoic Joker · « **Reply #8 on:** November 03, 2015, 06:49 AM »

Right, took a look at the MySQL Workbench sourcecode - passwords seem to be stored in workbench_user_data.dat, protected with the CryptProtectData WIN32 API - without any application-specific entropy. So it should be pretty trivial to decrypt - as long as you have access to the user account the workbench was run from
-f0dder (November 03, 2015, 06:30 AM)

hehe Well... I am the user account the workbench was/is run from, so that part's covered. However I fear we may have slightly different perceptions of what is trivial..

..As I have no where near your background in Crypto. So if you could give me a hint or two on how to hang the code together it would be greatly appreciated.

f0dder · « **Reply #9 on:** November 03, 2015, 07:19 AM »

However I fear we may have slightly different perceptions of what is trivial..
-Stoic Joker (November 03, 2015, 06:49 AM)

Here you go, my friend - trivial

Without all the file opening and other red tape, it all boiled down to this:

Code: C++ [Select]

std::vector<unsigned char> decrypt(BYTE *input, size_t length) {
        DATA_BLOB inblob { length, input };
        DATA_BLOB outblob;
 
        if (!CryptUnprotectData(&inblob, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &outblob)) {
                throw std::runtime_error("Couldn't decrypt");
        }
 
        std::vector<unsigned char> output(length);
        memcpy(&output[0], outblob.pbData, outblob.cbData);
 
        return output;
}

Stoic Joker · « **Reply #10 on:** November 03, 2015, 11:31 AM »

Worked perfectly - Thank You!!

f0dder · « **Reply #11 on:** November 03, 2015, 11:34 AM »

Worked perfectly - Thank You!!
-Stoic Joker (November 03, 2015, 11:31 AM)

You're welcome - I'm glad it worked

mouser · « **Reply #12 on:** November 03, 2015, 08:23 PM »

wow that was cool to watch. people helping each other. nice

SeekerDK · « **Reply #13 on:** March 22, 2016, 05:21 AM »

Here you go, my friend - trivial
-f0dder (November 03, 2015, 07:19 AM)

Create an account just to thank for this

Thank you Google, donationcoder and of course f0dder

f0dder · « **Reply #14 on:** March 22, 2016, 07:07 AM »

You're welcome

nkatsar · « **Reply #15 on:** October 31, 2017, 09:51 AM »

You're welcome
-f0dder (March 22, 2016, 07:07 AM)

Thanks a lot for the decryption tool, still working for MySQL Workbench 6.3.9.

Even though Workbench can backup/restore connections, it does not save the passwords. With this tool I could easily copy the passwords to a new PC.

JarredTories · « **Reply #16 on:** December 13, 2017, 05:28 PM »

Joined just to thank @f0dder for his awesome program. Still works like a charm on my installation of MySQL Workbench 6.3 CE.

mouser · « **Reply #17 on:** December 13, 2017, 10:06 PM »

Thanks to Jared for taking time to post -- people don't realize that a simple thanks can mean a lot to a coder

themutilator · « **Reply #18 on:** July 02, 2018, 07:46 PM »

Just registered to say thanks, you bailed me out!

octothorpe_rekt · « **Reply #19 on:** August 13, 2018, 01:17 PM »

Here you go, my friend - trivial
-f0dder (November 03, 2015, 07:19 AM)

Just registered to say...

Nearly 5 years later, this is code is still saving people from ripping their hair out over a forgotten password. Thank you!

welltonthiago · « **Reply #20 on:** January 31, 2019, 10:44 AM »

In 2019, still working. Thanks

Astals · « **Reply #21 on:** April 08, 2020, 11:32 AM »

If you are like me and don't trust random binaries I created a python script to recover the MySQL Workbench Vault

https://github.com/astals/MySQL-Workbench-Password-Recovery