Nmap Development mailing list archives

Re: MySQL scripts


From: David Fifield <david () bamsoftware com>
Date: Fri, 22 Jan 2010 14:34:01 -0700

On Fri, Jan 22, 2010 at 03:27:47PM -0600, Ron wrote:
On 01/22/2010 03:21 PM, David Fifield wrote:
Checking for an empty password is a special case of brute-force
guessing. Is MySQL commonly installed with a blank root password. Like,
is it installed that way by default or something? If it's not common
enough to be worth checking for on its own, I suggest combining it with
mysql-brute. Someone checking for blank passwords is also probably going
to want to check for other weak passwords.

By default, if you install MySQL from source, it creates four accounts  
with blank passwords:
root@localhost
root@[machine name]
[blank]@localhost
[blank]@[machine name]

Since those are the defaults, in some ways it makes sense to check them  
specially.

Thanks Ron. In that case, I agree it makes sense to have a separate
script. mysql-empty-password should check the blank user too.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Current thread: