Nmap Development mailing list archives
Re: [NSE Script] MySQL Server Information
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 18 Dec 2007 13:56:26 -0600
jah wrote:
On 18/12/2007 06:22, Kris Katterjohn wrote:I grepped the nmap-service-probes and saw "unauthorized" with a lowercase and uppercase U, so I edited that part. I saw no occurrences of your suggested "unauthorised" in there, so I didn't add that.I noticed that too, but my testing showed that string.match(s,pattern) that I used, matched regardless of case. (My testing involved changing the case of pattern rather than of anything in nmap-service-probes, which may have been flawed thinking). What's the difference between string.match(s,pattern) and s:match(pattern), is it the same operation expressed differently?
That's interesting about match(). I don't think your test was flawed, because I would've tried that myself :) I haven't read anywhere that explicitly states it's case-insensitive, and grepping in scripts/ shows that HTTPAuth.nse contains a character set of "[Aa]" in there.. but Thomas could just be as confused as me :) I'll leave it for now since I'm not sure (but if we can find a link showing that it is, in fact, case insensitive I'll certainly remove it). And you're correct in that the different ways of calling match() do the same thing; I like the other way because it's a tad shorter and reduces redundancy (as in the portrule).
I added a check for too many connections, which I saw in the probes file. It should match the different little versions of it from there, though I didn't find a server with that error to test with.This was my challenge for the day, find a server that reported 1040 Too Many Connections. I couldn't. So I set about creating one and after much fiddling with users and the max_connections mysql variable and much hair-pulling, I conclude that the 1040 error seems only to occur after a login request is sent to the server. I was able to put my sql server in a state where it would respond with 1040, but only after login request. The Server Greeting is sent prior to this so the script can still get it's info. Therefore, I would say that the extra portrule may be unnecessary. I haven't made any changes though because it's not hurting anything and I may still be proved wrong...
That's odd because there are multiple match lines in the -probes file that look for too many connections from just the banner (NULL probe). I guess we'll just have to see about that! :)
Another change was just for personal preference :) Instead of indenting the rest of the script after the protocol vs. error check, I just return from that if() and the rest was as before. I just think it's too long to warrant the extra indentation.Yep, that looks much better! You might like to remove the require for shortport line, other than that, job's a good'n! As an approximation, I've found that 30-40% of hosts with a mysql port open don't give "unauthorised" and successfully send the server greeting which your script captures. Well worth the effort you put in writing the script, I'd say. And I reckon there'll be a demand for checking default/weak/blank pwds...
Ah, yes, I knew I was forgetting something :) I hope people find it useful. I'll look into adding other things, like attempting logins, etc.
I found another oddity, not with your script, but with socket_object:set_timeout(t). Having read the nmap network I/O api page [1] I read your script sock:set_timeout(5000) as 50 seconds which I thought was rather excessive. But I confirmed that the timeout is, as I'm sure you intended, 5s. Is this an error in the docs do you think? Perhaps something changed, but the doc didn't get updated?
Hmm.. that's interesting as well! I'm not sure what happened with that. I don't have access to change it, so hopefully somebody corrects the problem.
jah
Thanks, Kris Katterjohn _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE Script] MySQL Server Information Kris Katterjohn (Dec 15)
- Message not available
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 16)
- Re: [NSE Script] MySQL Server Information jah (Dec 17)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 17)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information Thomas Buchanan (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Fyodor (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Brandon Enright (Dec 18)
- Re: [NSE Script] MySQL Server Information sawall (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 16)
- Message not available