Nmap Development mailing list archives
Re: [NSE] mysql-enum user enumeration script
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Tue, 11 Dec 2012 11:56:29 +0100
Hi Patrik, thanks for comments, I added a check for that "hostname is blocked" case. Now the script will bail out as soon as it gets that error. I just can't say I'm sure when is this error triggered, I can't get consistent results. Wonder if some sort of rate limiting would prevent it ? Also, I've fixed the indentation issues. , Aleksandar On 12/8/2012 6:57 PM, Patrik Karlsson wrote:
Alexandar, I tried this script and didn't get it to show any users even though they existed. I tracked the problem down to the server returning the following message; "hostname is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'" I think the script needs to handle this error message and report back to avoid false negatives. There were also some indentation cleanup that needed to be done. Thanks, Patrik On Sat, Dec 8, 2012 at 10:20 AM, Aleksandar Nikolic <nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>> wrote: Resending this as i didn't get any comments , and I guess it might not have got attention due to list changing ... -------- Original Message -------- Subject: [NSE] mysql-enum user enumeration script Date: Mon, 03 Dec 2012 21:38:59 +0100 From: Aleksandar Nikolic <nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>> To: nmap-dev () insecure org <mailto:nmap-dev () insecure org> Hi all , been a long time since I contributed something :) As you might have noticed, kingcope released quite a number of mysql vulns over the weekend, one of them being an user enumeration vulnerability which sounded like a perfect candidate for a NSE script (original release : http://seclists.org/fulldisclosure/2012/Dec/9 ). So here is my rough draft for it. The vuln lies in the fact that MySQL server, when it gets connection from a client using old authentication mechanism, responds in different ways when user does and does not exist. Basically , when user does not exist, the server replies with "Access denied for user..." immediately, else it waits for a password. I might be a little rusty with Lua and nmap dev , so do point out your ideas and suggestions for improvements. Aleksandar _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
Attachment:
mysql-enum.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] mysql-enum user enumeration script Aleksandar Nikolic (Dec 03)
- Fwd: [NSE] mysql-enum user enumeration script Aleksandar Nikolic (Dec 08)
- Re: [NSE] mysql-enum user enumeration script Patrik Karlsson (Dec 08)
- Re: [NSE] mysql-enum user enumeration script Aleksandar Nikolic (Dec 11)
- Re: [NSE] mysql-enum user enumeration script Aleksandar Nikolic (Dec 16)
- Re: [NSE] mysql-enum user enumeration script Patrik Karlsson (Dec 16)
- Re: [NSE] mysql-enum user enumeration script Aleksandar Nikolic (Dec 17)
- Re: [NSE] mysql-enum user enumeration script Patrik Karlsson (Dec 08)
- Fwd: [NSE] mysql-enum user enumeration script Aleksandar Nikolic (Dec 08)