Rob Nicholls wrote:
The "sa" account (often setup with a blank password because the setup
for 2000 doesn't make much effort to stop you) is a default account used
MS SQL, not MySQL, so any checks would go into an MSSQL script (Thomas
already written a "Microsoft SQL Server information gathering script").
check for a blank password might be okay (and possibly the password
but nmap probably isn't the best place to test for passwords, and I
people would like to avoid accidentally locking out accounts or
cause a denial of service (for any service).
Thanks for the mention, Rob. The MSSQLm.nse script that currently ships
with Nmap 4.50 does check for 'sa' with a blank password. I also have a
patch for that script that extends it to check for 'sa' with password =
'password', but I haven't had a chance to send that to the list yet.
I've also been working on a script to check for MySQL (not Microsoft
SQL) servers with user = 'root', and either a blank password, or
password = 'password'. However, that script isn't quite ready for
primetime, especially since it relies on some NSE functionality that
hasn't been integrated into mainline code yet (see
A bit off-topic, but if you're interested in checking a service for
passwords, you might want to try a dedicated tool such as hydra:
I'd second this suggestion. Hydra is a wonderful tool for finding
common passwords to a large number of different network services.