Nmap Development mailing list archives

Re: MySQL scripts

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 23 Jan 2010 23:08:34 +0100


On 22 jan 2010, at 22.34, David Fifield wrote:

On Fri, Jan 22, 2010 at 03:27:47PM -0600, Ron wrote:

On 01/22/2010 03:21 PM, David Fifield wrote:

Checking for an empty password is a special case of brute-force
guessing. Is MySQL commonly installed with a blank root password. Like,
is it installed that way by default or something? If it's not common
enough to be worth checking for on its own, I suggest combining it with
mysql-brute. Someone checking for blank passwords is also probably going
to want to check for other weak passwords.


By default, if you install MySQL from source, it creates four accounts  
with blank passwords:
root@localhost
root@[machine name]
[blank]@localhost
[blank]@[machine name]

Since those are the defaults, in some ways it makes sense to check them  
specially.


Thanks Ron. In that case, I agree it makes sense to have a separate
script. mysql-empty-password should check the blank user too.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



I've added support for the anonymous account to mysql-empty-passwords. If a user with an empty name exists in MySQL you 
can authenticate anonymously. This basically means that you can authenticate using any username you want, given it's 
not the name of another user. Running the mysql-brute against a server with the anonymous account enabled will look as 
if all the guessed users will have access, which they sort of do.

Apart from this fix I think I've implemented the changes proposed by David in this post:
http://seclists.org/nmap-dev/2010/q1/227

In addition I've added query support to the MySQL library and three new scripts that make use of this: 
mysql-list-databases, mysql-list-users and mysql-show-variables. These scripts either take a username and password as 
script argument or depend on the mysql-brute and/or mysql-empty-password to supply it to them.

I'm attaching the scripts and the latest library. They're also available from here as usual:
http://www.cqure.net/wp/nmap-scripts/

For some sample output check out this blog post:
http://www.cqure.net/wp/2010/01/nmap-does-more-mysql/

//Patrik

Attachment: mysql-brute.nse
Description:

Attachment: mysql-empty-password.nse
Description:

Attachment: mysql-list-databases.nse
Description:

Attachment: mysql-list-users.nse
Description:

Attachment: mysql-show-variables.nse
Description:

Attachment: mysql.lua
Description:


--
Patrik Karlsson
http://www.cqure.net

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

MySQL scripts Patrik Karlsson (Jan 18)
- Re: MySQL scripts Fyodor (Jan 19)
  - Re: MySQL scripts Patrik Karlsson (Jan 19)
    - Re: MySQL scripts Ron (Jan 19)
- Re: MySQL scripts David Fifield (Jan 22)
  - Re: MySQL scripts Ron (Jan 22)
    - Re: MySQL scripts David Fifield (Jan 22)
    - Re: MySQL scripts Patrik Karlsson (Jan 23)
    - Re: MySQL scripts Ron (Jan 23)
    - Re: MySQL scripts Patrik Karlsson (Jan 23)
    - Re: MySQL scripts David Fifield (Jan 25)