Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE Script] MySQL Server Information
From: jah <jah () zadkiel plus com>
Date: Tue, 18 Dec 2007 18:05:15 +0000

On 18/12/2007 06:22, Kris Katterjohn wrote:
I grepped the nmap-service-probes and saw "unauthorized" with a 
lowercase and uppercase U, so I edited that part.  I saw no 
occurrences of your suggested "unauthorised" in there, so I didn't add 
I noticed that too, but my testing showed that string.match(s,pattern) 
that I used, matched regardless of case.  (My testing involved changing 
the case of pattern rather than of anything in nmap-service-probes, 
which may have been flawed thinking).  What's the difference between 
string.match(s,pattern) and s:match(pattern), is it the same operation 
expressed differently?

I added a check for too many connections, which I saw in the probes 
file.  It should match the different little versions of it from there, 
though I didn't find a server with that error to test with.
This was my challenge for the day, find a server that reported 1040 Too 
Many Connections.  I couldn't.  So I set about creating one and after 
much fiddling with users and the max_connections mysql variable and much 
hair-pulling, I conclude that the 1040 error seems only to occur after a 
login request is sent to the server.  I was able to put my sql server in 
a state where it would respond with 1040, but only after login request.  
The Server Greeting is sent prior to this so the script can still get 
it's info.  Therefore, I would say that the extra portrule may be 
unnecessary.  I haven't made any changes though because it's not hurting 
anything and I may still be proved wrong...

Another change was just for personal preference :) Instead of 
indenting the rest of the script after the protocol vs. error check, I 
just return from that if() and the rest was as before.  I just think 
it's too long to warrant the extra indentation.
Yep, that looks much better!

You might like to remove the require for shortport line, other than 
that, job's a good'n!  As an approximation, I've found that 30-40% of 
hosts with a mysql port open don't give "unauthorised" and successfully 
send the server greeting which your script captures.  Well worth the 
effort you put in writing the script, I'd say.  And I reckon there'll be 
a demand for checking default/weak/blank pwds...

I found another oddity, not with your script, but with 
socket_object:set_timeout(t).  Having read the nmap network I/O api page 
[1] I read your script sock:set_timeout(5000) as 50 seconds which I 
thought was rather excessive.  But I confirmed that the timeout is, as 
I'm sure you intended, 5s.  Is this an error in the docs do you think?  
Perhaps something changed, but the doc didn't get updated?


[1] network I/O - 

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]