mailing list archives
Re: [NSE Script] MySQL Server Information
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 18 Dec 2007 13:56:26 -0600
On 18/12/2007 06:22, Kris Katterjohn wrote:
I grepped the nmap-service-probes and saw "unauthorized" with a
lowercase and uppercase U, so I edited that part. I saw no
occurrences of your suggested "unauthorised" in there, so I didn't add
I noticed that too, but my testing showed that string.match(s,pattern)
that I used, matched regardless of case. (My testing involved changing
the case of pattern rather than of anything in nmap-service-probes,
which may have been flawed thinking). What's the difference between
string.match(s,pattern) and s:match(pattern), is it the same operation
That's interesting about match(). I don't think your test was flawed,
because I would've tried that myself :) I haven't read anywhere that
explicitly states it's case-insensitive, and grepping in scripts/ shows
that HTTPAuth.nse contains a character set of "[Aa]" in there.. but
Thomas could just be as confused as me :) I'll leave it for now since
I'm not sure (but if we can find a link showing that it is, in fact,
case insensitive I'll certainly remove it).
And you're correct in that the different ways of calling match() do the
same thing; I like the other way because it's a tad shorter and reduces
redundancy (as in the portrule).
I added a check for too many connections, which I saw in the probes
file. It should match the different little versions of it from there,
though I didn't find a server with that error to test with.
This was my challenge for the day, find a server that reported 1040 Too
Many Connections. I couldn't. So I set about creating one and after
much fiddling with users and the max_connections mysql variable and much
hair-pulling, I conclude that the 1040 error seems only to occur after a
login request is sent to the server. I was able to put my sql server in
a state where it would respond with 1040, but only after login request.
The Server Greeting is sent prior to this so the script can still get
it's info. Therefore, I would say that the extra portrule may be
unnecessary. I haven't made any changes though because it's not hurting
anything and I may still be proved wrong...
That's odd because there are multiple match lines in the -probes file
that look for too many connections from just the banner (NULL probe). I
guess we'll just have to see about that! :)
Another change was just for personal preference :) Instead of
indenting the rest of the script after the protocol vs. error check, I
just return from that if() and the rest was as before. I just think
it's too long to warrant the extra indentation.
Yep, that looks much better!
You might like to remove the require for shortport line, other than
that, job's a good'n! As an approximation, I've found that 30-40% of
hosts with a mysql port open don't give "unauthorised" and successfully
send the server greeting which your script captures. Well worth the
effort you put in writing the script, I'd say. And I reckon there'll be
a demand for checking default/weak/blank pwds...
Ah, yes, I knew I was forgetting something :)
I hope people find it useful. I'll look into adding other things, like
attempting logins, etc.
I found another oddity, not with your script, but with
socket_object:set_timeout(t). Having read the nmap network I/O api page
 I read your script sock:set_timeout(5000) as 50 seconds which I
thought was rather excessive. But I confirmed that the timeout is, as
I'm sure you intended, 5s. Is this an error in the docs do you think?
Perhaps something changed, but the doc didn't get updated?
Hmm.. that's interesting as well!
I'm not sure what happened with that. I don't have access to change it,
so hopefully somebody corrects the problem.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org