Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE Script] MySQL Server Information
From: jah <jah () zadkiel plus com>
Date: Tue, 18 Dec 2007 18:05:15 +0000

On 18/12/2007 06:22, Kris Katterjohn wrote:
I grepped the nmap-service-probes and saw "unauthorized" with a 
lowercase and uppercase U, so I edited that part.  I saw no 
occurrences of your suggested "unauthorised" in there, so I didn't add 
that.
I noticed that too, but my testing showed that string.match(s,pattern) 
that I used, matched regardless of case.  (My testing involved changing 
the case of pattern rather than of anything in nmap-service-probes, 
which may have been flawed thinking).  What's the difference between 
string.match(s,pattern) and s:match(pattern), is it the same operation 
expressed differently?

I added a check for too many connections, which I saw in the probes 
file.  It should match the different little versions of it from there, 
though I didn't find a server with that error to test with.
This was my challenge for the day, find a server that reported 1040 Too 
Many Connections.  I couldn't.  So I set about creating one and after 
much fiddling with users and the max_connections mysql variable and much 
hair-pulling, I conclude that the 1040 error seems only to occur after a 
login request is sent to the server.  I was able to put my sql server in 
a state where it would respond with 1040, but only after login request.  
The Server Greeting is sent prior to this so the script can still get 
it's info.  Therefore, I would say that the extra portrule may be 
unnecessary.  I haven't made any changes though because it's not hurting 
anything and I may still be proved wrong...

Another change was just for personal preference :) Instead of 
indenting the rest of the script after the protocol vs. error check, I 
just return from that if() and the rest was as before.  I just think 
it's too long to warrant the extra indentation.
Yep, that looks much better!

You might like to remove the require for shortport line, other than 
that, job's a good'n!  As an approximation, I've found that 30-40% of 
hosts with a mysql port open don't give "unauthorised" and successfully 
send the server greeting which your script captures.  Well worth the 
effort you put in writing the script, I'd say.  And I reckon there'll be 
a demand for checking default/weak/blank pwds...

I found another oddity, not with your script, but with 
socket_object:set_timeout(t).  Having read the nmap network I/O api page 
[1] I read your script sock:set_timeout(5000) as 50 seconds which I 
thought was rather excessive.  But I confirmed that the timeout is, as 
I'm sure you intended, 5s.  Is this an error in the docs do you think?  
Perhaps something changed, but the doc didn't get updated?


jah

[1] network I/O - 
http://insecure.org/nmap/nse/nse-api.html#nse-api-networkio


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]