Password Cracking

Password Cracking: PostgreSQL

by Raj

This article covers how to identify and brute force PostgreSQL logins using common tools, from quick single host tests to automated multi host attacks during internal assessments.

MITRE ATT&CK Techniques

  • T1110.001 – Brute Force: Password Guessing
  • T1046 – Network Service Scanning
  • T1078 – Valid Accounts

Table of Contents

Introduction

Enumeration

  • Scan for Open PostgreSQL Port with Nmap

Brute-Force Techniques

  • Hydra
  • Metasploit
  • Medusa
  • Ncrack
  • Patator
  • Nmap NSE Script (pgsql-brute.nse)
  • BruteSpray

Introduction

PostgreSQL is a robust open source database typically running on port 5432. It uses password based authentication and is vulnerable to brute force attacks if exposed to untrusted networks or misconfigured.

Enumeration

Nmap Scan

Run an Nmap scan to discover open PostgreSQL services and detect version info:

nmap -p 5432 -sV 192.168.1.13

Explanation:

  • -p 5432: Scans for the default PostgreSQL Service on port 5432.
  • -sV: Enables version detection to identify the specific PostgreSQL version running on the target host.

Once Nmap confirms that port 5432 is open and a PostgreSQL service is active, this information can be used to select appropriate brute force tools, script modules, or potential version based vulnerabilities.

Defensive Strategy:

Use IDS/IPS to flag scans. Restrict PostgreSQL access to known IP ranges using firewalls.

Brute-Force Techniques

Tools Quick Reference

Hydra

Hydra is a powerful tool used for brute-force attacks. It’s often used to test PostgreSQL logins. It works with username and password lists (user.txt and pass.txt) to quickly try logging in to exposed services. This makes it helpful for finding weak or default passwords.

Step To Reproduce

Brute-force PostgreSQL with parallel login attempts using username and password lists by running following command

hydra -L users.txt -P pass.txt 192.168.1.13 postgres

Explanation:

  • -L user.txt: Specifies the path to the username list.
  • -P pass.txt: Specifies the path to the password list.
  • 192.168.1.13: Target IP address.
  • postgres: Protocol to attack.

Detection Strategy:

Enable log_connections and log_failed_login_attempts in PostgreSQL. Apply IP based throttling via fail2ban or firewalls. Monitor failed login bursts via SIEM.

Metasploit

Metasploit offers a dedicated module for brute forcing PostgreSQL logins, ideal for red team use. With support for user.txt and pass.txt, it enables structured, automated attempts that integrate well into post exploitation workflows.

Step To Reproduce

msf6 > use auxiliary/scanner/postgres/postgres_login
set rhosts 192.168.1.13
set user_file users.txt
set pass_file pass.txt
set verbose false
run

Explanation:

  • use auxiliary/scanner/postgres/postgres_login: Loads the PostgreSQL login scanner module used for brute force authentication.
  • set rhosts 192.168.1.13: Specifies the IP address of the target PostgreSQL server.
  • set user_file users.txt: Defines the file containing potential usernames.
  • set pass_file pass.txt: Defines the file containing passwords to pair with the usernames.
  • set verbose false: Disables verbose output to reduce console noise during the brute force process.
  • run: Executes the module and begins testing all username password combinations against the PostgreSQL service.

Defensive Control:

Use pg_hba.conf to restrict access to known IP ranges. Enable PostgreSQL logging (log_connections, log_disconnections) and integrate with SIEM tools for correlation and alerting.

Medusa

Medusa is a fast tool made for trying many username and password combinations. It’s useful for testing PostgreSQL logins. It can handle large lists (like user.txt and pass.txt) at the same time, which makes it quick and effective for testing inside networks. Its results are simple and can be used easily in other tools or scripts.

Step To Reproduce

Below we have successfully grabbed credentials using following command:

medusa -h 192.168.1.13 -U users.txt -P pass.txt -M postgres | grep SUCCESS

Explanation:

  • medusa: Invokes the Medusa brute force tool.
  • -h 192.168.1.13: Specifies the IP address of the target machine.
  • -U: Points to a file containing a list of usernames to try.
  • -P: Points to a file containing a list of passwords.
  • -M postgres: Indicates that the PostgreSQL module should be used for this attack.
  • |grep SUCCESS: Filters the command output to display only successful login attempts, making it easier to identify valid credentials.

Defensive Strategy:

Use SIEM to detect bursts of login attempts. Enable rate limiting via PostgreSQL middleware (e.g., pgBouncer). Enforce account lockout policies where possible.

Ncrack

Ncrack, developed by the creators of Nmap, is a high speed tool for testing PostgreSQL logins across large environments. Its multi threaded design enables quick credential checks, making it effective for spotting reused or default passwords in enterprise deployments.

Step To Reproduce

Use Ncrack to perform high speed PostgreSQL login testing on a target IP.

ncrack -U user.txt -P pass.txt 192.168.1.13 -p 5432

Explanation:

  • ncrack: Launches the Ncrack password cracking tool.
  • -U user.txt: Indicates the file containing a list of potential usernames.
  • -P pass.txt: Indicates the file containing a list of potential passwords.
  • -p 5432: Specifies the PostgreSQL default port for authentication attempts.

Defensive Strategy:

Use PostgreSQL’s native logging to detect rapid logins. Limit connection rates per IP. Implement firewall based IP filtering and alert on excessive connection attempts.

Patator

Patator is a flexible tool used for brute-force attacks. It can try to log in to PostgreSQL servers. It has features like smart error handling, custom retry options, and adjustable delays between attempts. These features help avoid detection and make it useful when you need to stay hidden.

Step To Reproduce

Launch adaptive brute force attempts against PostgreSQL using Patator by running following command

patator pgsql_login host=192.168.1.13 user=FILE0 0=users.txt password=FILE1 1=pass.txt

Explanation:

  • patator: Launches the Patator brute force tool.
  • pgsql_login: Specifies the module for PostgreSQL login attempts.
  • host=192.168.1.13: Indicates the target machine’s IP address.
  • user=FILE0 0=user.txt: Assigns FILE0 as a placeholder for usernames, pulling values from user.txt.
  • password=FILE1 1=pass.txt: Assigns FILE1 as a placeholder for passwords, pulling values from pass.txt.

Note: You can add | grep ‘200 OK’ or -x ignore:code=530 for success filtering or to skip known failed responses based on Patator’s output codes.

Defensive Suggestion:

Monitor PostgreSQL for repetitive failed login patterns. Use network level throttling. Detect Patator’s retry logic via behavioral SIEM correlation.

NMAP NSE Script

Nmap is a powerful tool for scanning and gathering information about systems. It supports scripts through something called the Nmap Scripting Engine (NSE). One script, pgsql-brute, is used to try many usernames and passwords to break into PostgreSQL servers using your own wordlists.

This script is particularly effective during early discovery phases to check for weak credentials directly in conjunction with version and port scanning.

Step To Reproduce

Perform brute force login testing on PostgreSQL directly from Nmap using NSE by running following command

nmap -p5432 --script pgsql-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.13

Explanation:

  • p5432: Scans the default port used by PostgreSQL.
  • –script pgsql-brute.nse: Specifies the use of the PostgreSQL brute force NSE script.
  • –script-args userdb=user.txt,passdb=pass.txt: Provides the script with your custom username and password lists.

This method is especially useful during early stage reconnaissance to identify weak or default PostgreSQL credentials on a target system.

Defensive Strategy:

Track login failures originating from Nmap/NSE patterns. Alert on rapid session initiations. Limit PostgreSQL exposure to known IP ranges and apply TLS with authentication.

BruteSpray

BruteSpray helps automate login attempts (credential spraying) on services found using Nmap scans. It reads Nmap’s GNMAP output to find PostgreSQL servers and tries to log in using lists of usernames and passwords (user.txt and pass.txt). It spreads out the attempts to avoid getting detected.

Steps To Reproduce:

Spray credentials across multiple PostgreSQL hosts parsed from an Nmap GNMAP file. Scan and save output to a file to later use with BruteSpray by running following command

Nmap -p 5432 192.168.1.13 -oG pgsql_scan.txt

Explanation:

  • nmap: Network scanning tool used to discover hosts and services.
  • -p 5432: Scans only port 5432, the default port for PostgreSQL.
  • 192.168.1.13: Target IP address to scan.
  • -oG pgsql_scan.txt: Saves the scan output in grepable format to the file pgsql_scan.txt.

brutespray -f pgsql_scan.txt -u users.txt -p pass.txt

Explanation:

  • brutespray: launches BruteSpray tool for automated credential spraying
  • -f pgsql_scan.txt: Specifies the Nmap output file to use.
  • -u user.txt: Path to the list of usernames.
  • -p pass.txt: Path to the list of passwords.

Defensive Strategy:
Analyze PostgreSQL logs across systems for distributed spray attempts. Use correlation in SIEM tools. Implement connection throttling via proxy layers or PostgreSQL middleware.

PostgreSQL Brute-Force – Offense, Defence & MITRE Mapping

Defence-in-Depth Summary

Author: Kinjal Patel is seasoned penetration tester and technical content writer. Contact at LinkedIn

Related posts:

Default ThumbnailA Detailed Guide on Cewl Default ThumbnailA Detailed Guide on Medusa