Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE Script] MySQL Server Information
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 18 Dec 2007 13:56:26 -0600

jah wrote:
On 18/12/2007 06:22, Kris Katterjohn wrote:
I grepped the nmap-service-probes and saw "unauthorized" with a 
lowercase and uppercase U, so I edited that part.  I saw no 
occurrences of your suggested "unauthorised" in there, so I didn't add 
that.
I noticed that too, but my testing showed that string.match(s,pattern) 
that I used, matched regardless of case.  (My testing involved changing 
the case of pattern rather than of anything in nmap-service-probes, 
which may have been flawed thinking).  What's the difference between 
string.match(s,pattern) and s:match(pattern), is it the same operation 
expressed differently?

That's interesting about match().  I don't think your test was flawed, 
because I would've tried that myself :) I haven't read anywhere that 
explicitly states it's case-insensitive, and grepping in scripts/ shows 
that HTTPAuth.nse contains a character set of "[Aa]" in there.. but 
Thomas could just be as confused as me :)  I'll leave it for now since 
I'm not sure (but if we can find a link showing that it is, in fact, 
case insensitive I'll certainly remove it).

And you're correct in that the different ways of calling match() do the 
same thing; I like the other way because it's a tad shorter and reduces 
redundancy (as in the portrule).


I added a check for too many connections, which I saw in the probes 
file.  It should match the different little versions of it from there, 
though I didn't find a server with that error to test with.
This was my challenge for the day, find a server that reported 1040 Too 
Many Connections.  I couldn't.  So I set about creating one and after 
much fiddling with users and the max_connections mysql variable and much 
hair-pulling, I conclude that the 1040 error seems only to occur after a 
login request is sent to the server.  I was able to put my sql server in 
a state where it would respond with 1040, but only after login request.  
The Server Greeting is sent prior to this so the script can still get 
it's info.  Therefore, I would say that the extra portrule may be 
unnecessary.  I haven't made any changes though because it's not hurting 
anything and I may still be proved wrong...

That's odd because there are multiple match lines in the -probes file 
that look for too many connections from just the banner (NULL probe).  I 
guess we'll just have to see about that! :)


Another change was just for personal preference :) Instead of 
indenting the rest of the script after the protocol vs. error check, I 
just return from that if() and the rest was as before.  I just think 
it's too long to warrant the extra indentation.
Yep, that looks much better!

You might like to remove the require for shortport line, other than 
that, job's a good'n!  As an approximation, I've found that 30-40% of 
hosts with a mysql port open don't give "unauthorised" and successfully 
send the server greeting which your script captures.  Well worth the 
effort you put in writing the script, I'd say.  And I reckon there'll be 
a demand for checking default/weak/blank pwds...

Ah, yes, I knew I was forgetting something :)

I hope people find it useful.  I'll look into adding other things, like 
attempting logins, etc.


I found another oddity, not with your script, but with 
socket_object:set_timeout(t).  Having read the nmap network I/O api page 
[1] I read your script sock:set_timeout(5000) as 50 seconds which I 
thought was rather excessive.  But I confirmed that the timeout is, as 
I'm sure you intended, 5s.  Is this an error in the docs do you think?  
Perhaps something changed, but the doc didn't get updated?



Hmm.. that's interesting as well!

I'm not sure what happened with that.  I don't have access to change it, 
so hopefully somebody corrects the problem.

jah


Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault