Nmap Development mailing list archives

Re: MySQL scripts

From: David Fifield <david () bamsoftware com>
Date: Mon, 25 Jan 2010 13:06:16 -0700

On Sat, Jan 23, 2010 at 11:08:34PM +0100, Patrik Karlsson wrote:


On 22 jan 2010, at 22.34, David Fifield wrote:

On Fri, Jan 22, 2010 at 03:27:47PM -0600, Ron wrote:

On 01/22/2010 03:21 PM, David Fifield wrote:

Checking for an empty password is a special case of brute-force
guessing. Is MySQL commonly installed with a blank root password. Like,
is it installed that way by default or something? If it's not common
enough to be worth checking for on its own, I suggest combining it with
mysql-brute. Someone checking for blank passwords is also probably going
to want to check for other weak passwords.


By default, if you install MySQL from source, it creates four accounts  
with blank passwords:
root@localhost
root@[machine name]
[blank]@localhost
[blank]@[machine name]

Since those are the defaults, in some ways it makes sense to check them  
specially.


Thanks Ron. In that case, I agree it makes sense to have a separate
script. mysql-empty-password should check the blank user too.


I've added support for the anonymous account to mysql-empty-passwords.
If a user with an empty name exists in MySQL you can authenticate
anonymously. This basically means that you can authenticate using any
username you want, given it's not the name of another user. Running
the mysql-brute against a server with the anonymous account enabled
will look as if all the guessed users will have access, which they
sort of do.

Apart from this fix I think I've implemented the changes proposed by
David in this post:
http://seclists.org/nmap-dev/2010/q1/227

In addition I've added query support to the MySQL library and three
new scripts that make use of this: mysql-list-databases,
mysql-list-users and mysql-show-variables. These scripts either take a
username and password as script argument or depend on the mysql-brute
and/or mysql-empty-password to supply it to them.


You are approved to commit all these scripts and the library, except
that I want you to change these names:

mysql-list-databases -> mysql-databases
mysql-list-users -> mysql-users
mysql-show-variables -> mysql-variables

Good work! The scripts are looking nice. Please add a brief entry to the
CHANGELOG for each new script.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

MySQL scripts Patrik Karlsson (Jan 18)
- Re: MySQL scripts Fyodor (Jan 19)
  - Re: MySQL scripts Patrik Karlsson (Jan 19)
    - Re: MySQL scripts Ron (Jan 19)
- Re: MySQL scripts David Fifield (Jan 22)
  - Re: MySQL scripts Ron (Jan 22)
    - Re: MySQL scripts David Fifield (Jan 22)
    - Re: MySQL scripts Patrik Karlsson (Jan 23)
    - Re: MySQL scripts Ron (Jan 23)
    - Re: MySQL scripts Patrik Karlsson (Jan 23)
    - Re: MySQL scripts David Fifield (Jan 25)