Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE Script] MySQL Server Information
From: sawall <sawall () gmail com>
Date: Tue, 18 Dec 2007 18:59:44 -0600

My comment would be that a brute-force may or may not be necessary.  If it
were included, it could be enabled via an argument or a separate app could
be run against MS SQL or MySQL.  As mentioned before, a brute-force attack
could take some time and really slow things down.

I was thinking more along the lines to just check for a few simple
passwords, like defaults and a few common ones (i.e., _blank_, password,
admin, etc).  This also could be disabled/enabled via an argument for those
who just wanted to gather server/version info.

I think the outcome of all of this will be good though!

chris


On Dec 18, 2007 6:53 PM, Brandon Enright <bmenrigh () ucsd edu> wrote:




This is an interesting idea.  You can accomplish what you described
above with a few hacks using the registry (may take more than one
script though). Along those lines, I'd like to be able to exclude
scripts by category. For example, we've already had several people hung
up on bruteTelnet.nse. I'd like a couple of categories to be added like
"slow" and "brute-force".

Then, I can run "all" scripts while still not running certain ones like
so:

nmap ... --script=all --no-script=brute-force ...

Sometimes I want to run some intrusive scripts and not others.  As we
get more and more scripts, it becomes harder to list the right scripts
and categories without also including ones you don't want.

Brandon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]