Nmap Development mailing list archives
Re: [NSE Script] MySQL Server Information
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Tue, 18 Dec 2007 14:38:00 -0600
Rob Nicholls wrote:
The "sa" account (often setup with a blank password because the setup file for 2000 doesn't make much effort to stop you) is a default account used by MS SQL, not MySQL, so any checks would go into an MSSQL script (Thomas has already written a "Microsoft SQL Server information gathering script"). A check for a blank password might be okay (and possibly the password "sa"?), but nmap probably isn't the best place to test for passwords, and I suspect people would like to avoid accidentally locking out accounts or potentially cause a denial of service (for any service).
Thanks for the mention, Rob. The MSSQLm.nse script that currently ships with Nmap 4.50 does check for 'sa' with a blank password. I also have a patch for that script that extends it to check for 'sa' with password = 'password', but I haven't had a chance to send that to the list yet. I've also been working on a script to check for MySQL (not Microsoft SQL) servers with user = 'root', and either a blank password, or password = 'password'. However, that script isn't quite ready for primetime, especially since it relies on some NSE functionality that hasn't been integrated into mainline code yet (see http://seclists.org/nmap-dev/2007/q4/0472.html )
A bit off-topic, but if you're interested in checking a service for "easy" passwords, you might want to try a dedicated tool such as hydra: http://freeworld.thc.org/thc-hydra/
I'd second this suggestion. Hydra is a wonderful tool for finding common passwords to a large number of different network services. Thomas _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [NSE Script] MySQL Server Information, (continued)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Kris Katterjohn (Dec 18)
- Re: [NSE Script] MySQL Server Information Fyodor (Dec 18)
- RE: [NSE Script] MySQL Server Information Rob Nicholls (Dec 18)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- Re: [NSE Script] MySQL Server Information Fyodor (Dec 18)
- Re: [NSE Script] MySQL Server Information jah (Dec 18)
- RE: [NSE Script] MySQL Server Information Rob Nicholls (Dec 18)
- Re: [NSE Script] MySQL Server Information Thomas Buchanan (Dec 18)
- Re: [NSE Script] MySQL Server Information sawall (Dec 18)
- Re: [NSE Script] MySQL Server Information Fyodor (Dec 18)