Nmap Development mailing list archives
[NSE Script] MySQL Server Information
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 16 Dec 2007 01:06:16 -0600
Hey nmap-dev!I've attached a new NSE script which connects to a MySQL server and prints information obtained from the greeting, such as the protocol and version numbers, thread id, capabilities, status, and password salt (handles both 8 and 20 byte salts).
I've put it in the "discovery" and "safe" categories. Here's an example: PORT STATE SERVICE REASON 3306/tcp open mysql syn-ack | MySQL Server Information: Protocol: 10 | Version: 5.0.45-Debian_1ubuntu3-log | Thread ID: 32| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, SSL, Transactions, Secure Connection
| Status: Autocommit |_ Salt: (8"?VqV>o5YC"{i}X}0r Please let me know what you think! Thanks, Kris Katterjohn
-- Connect to MySQL server and print information such as the protocol and -- version numbers, thread id, status, capabilities and the password salt id = "MySQL Server Information" description = "Connects to a MySQL server and prints information" author = "Kris Katterjohn <katterjohn () gmail com>" license = "Look at Nmap's COPYING" categories = { "discovery", "safe" } require 'shortport' require 'bit' -- Grabs NUL-terminated string local getstring = function(orig) local str = "" local index = 1 while orig:byte(index) ~= 0 do str = str .. string.char(orig:byte(index)) index = index + 1 end return str end -- Convert two bytes into a number ntohs = function(num) local b1 = bit.band(num:byte(1), 255) local b2 = bit.band(num:byte(2), 255) return bit.bor(b1, bit.lshift(b2, 8)) end -- Convert three bytes into a number ntoh3 = function(num) local b1 = bit.band(num:byte(1), 255) local b2 = bit.band(num:byte(2), 255) local b3 = bit.band(num:byte(3), 255) return bit.bor(b1, bit.lshift(b2, 8), bit.lshift(b3, 16)) end -- Convert four bytes into a number ntohl = function(num) local b1 = bit.band(num:byte(1), 255) local b2 = bit.band(num:byte(2), 255) local b3 = bit.band(num:byte(3), 255) local b4 = bit.band(num:byte(4), 255) return bit.bor(b1, bit.lshift(b2, 8), bit.lshift(b3, 16), bit.lshift(b4, 24)) end -- Convert number to a list of capabilities for printing capabilities = function(num) local caps = "" if bit.bor(num, 1) then caps = caps .. "Long Passwords, " end if bit.bor(num, 8) then caps = caps .. "Connect with DB, " end if bit.bor(num, 32) then caps = caps .. "Compress, " end if bit.bor(num, 64) then caps = caps .. "ODBC, " end if bit.bor(num, 2048) then caps = caps .. "SSL, " end if bit.bor(num, 8192) then caps = caps .. "Transactions, " end if bit.bor(num, 32768) then caps = caps .. "Secure Connection, " end return caps:gsub(", $", "") end portrule = shortport.port_or_service(3306, "mysql") action = function(host, port) local sock local response = "" local output = "" sock = nmap.new_socket() sock:set_timeout(5000) sock:connect(host.ip, port.number) while true do local status, line = sock:receive_lines(1) if not status then break end response = response .. line end sock:close() local length = ntoh3(response:sub(1, 3)) if length ~= response:len() - 4 then return "Invalid greeting (Not MySQL?)" end -- Keeps track of where we are in the binary data local offset = 1 + 4 local protocol = response:byte(offset) offset = offset + 1 local version = getstring(response:sub(offset)) offset = offset + version:len() + 1 local threadid = ntohl(response:sub(offset, offset + 4)) offset = offset + 4 local salt = getstring(response:sub(offset)) offset = offset + salt:len() + 1 local caps = capabilities(ntohs(response:sub(offset, offset + 2))) offset = offset + 2 offset = offset + 1 local status = "" if ntohs(response:sub(offset, offset + 2)) == 2 then status = "Autocommit" end offset = offset + 2 offset = offset + 13 -- unused if response:len() - offset + 1 == 13 then salt = salt .. getstring(response:sub(offset)) end output = output .. "Protocol: " .. protocol .. "\n" output = output .. "Version: " .. version .. "\n" output = output .. "Thread ID: " .. threadid .. "\n" if caps:len() > 0 then output = output .. "Some Capabilities: " .. caps .. "\n" end if status:len() > 0 then output = output .. "Status: " .. status .. "\n" end output = output .. "Salt: " .. salt .. "\n" return output end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE Script] MySQL Server Information Kris Katterjohn (Dec 15)
- Message not available
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 16)
- Re: [NSE Script] MySQL Server Information jah (Dec 17)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 17)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information Thomas Buchanan (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Fyodor (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 16)
- Message not available