Re: [NSE Script] MySQL Server Information

[Kris Katterjohn <katterjohn () gmail com>]

jah wrote:
> On 18/12/2007 06:22, Kris Katterjohn wrote:
> > I grepped the nmap-service-probes and saw "unauthorized" with a 
> > lowercase and uppercase U, so I edited that part.  I saw no 
> > occurrences of your suggested "unauthorised" in there, so I didn't add 
> > that.
> I noticed that too, but my testing showed that string.match(s,pattern) 
> that I used, matched regardless of case.  (My testing involved changing 
> the case of pattern rather than of anything in nmap-service-probes, 
> which may have been flawed thinking).  What's the difference between 
> string.match(s,pattern) and s:match(pattern), is it the same operation 
> expressed differently?

That's interesting about match().  I don't think your test was flawed, 
because I would've tried that myself :) I haven't read anywhere that 
explicitly states it's case-insensitive, and grepping in scripts/ shows 
that HTTPAuth.nse contains a character set of "[Aa]" in there.. but 
Thomas could just be as confused as me :)  I'll leave it for now since 
I'm not sure (but if we can find a link showing that it is, in fact, 
case insensitive I'll certainly remove it).

And you're correct in that the different ways of calling match() do the 
same thing; I like the other way because it's a tad shorter and reduces 
redundancy (as in the portrule).

> > I added a check for too many connections, which I saw in the probes 
> > file.  It should match the different little versions of it from there, 
> > though I didn't find a server with that error to test with.
> This was my challenge for the day, find a server that reported 1040 Too 
> Many Connections.  I couldn't.  So I set about creating one and after 
> much fiddling with users and the max_connections mysql variable and much 
> hair-pulling, I conclude that the 1040 error seems only to occur after a 
> login request is sent to the server.  I was able to put my sql server in 
> a state where it would respond with 1040, but only after login request.  
> The Server Greeting is sent prior to this so the script can still get 
> it's info.  Therefore, I would say that the extra portrule may be 
> unnecessary.  I haven't made any changes though because it's not hurting 
> anything and I may still be proved wrong...

That's odd because there are multiple match lines in the -probes file 
that look for too many connections from just the banner (NULL probe).  I 
guess we'll just have to see about that! :)

> > Another change was just for personal preference :) Instead of 
> > indenting the rest of the script after the protocol vs. error check, I 
> > just return from that if() and the rest was as before.  I just think 
> > it's too long to warrant the extra indentation.
> Yep, that looks much better!
>
> You might like to remove the require for shortport line, other than 
> that, job's a good'n!  As an approximation, I've found that 30-40% of 
> hosts with a mysql port open don't give "unauthorised" and successfully 
> send the server greeting which your script captures.  Well worth the 
> effort you put in writing the script, I'd say.  And I reckon there'll be 
> a demand for checking default/weak/blank pwds...

Ah, yes, I knew I was forgetting something :)

I hope people find it useful.  I'll look into adding other things, like 
attempting logins, etc.

> I found another oddity, not with your script, but with 
> socket_object:set_timeout(t).  Having read the nmap network I/O api page 
> [1] I read your script sock:set_timeout(5000) as 50 seconds which I 
> thought was rather excessive.  But I confirmed that the timeout is, as 
> I'm sure you intended, 5s.  Is this an error in the docs do you think?  
> Perhaps something changed, but the doc didn't get updated?

Hmm.. that's interesting as well!

I'm not sure what happened with that.  I don't have access to change it, 
so hopefully somebody corrects the problem.

> jah

Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org