mailing list archives
Re: [NSE Script] MySQL Server Information
From: jah <jah () zadkiel plus com>
Date: Wed, 19 Dec 2007 02:58:41 +0000
On 19/12/2007 01:53, Rob Nicholls wrote:
I can definitely see the benefit of Chris' suggestion and Thomas' improved
script for checking a handful of passwords for default accounts (a lot
easier than firing up another program just to check that "sa" isn't set to
"password" or left blank), and it might be worth checking default usernames
and passwords on other well known services too (Scott:Tiger, cisco:cisco,
admin:password etc.); I think Chris' original comment about checking for
weak passwords threw me as it wasn't clear at the time just how limited the
check for weak passwords would be.
I'd probably like an additional option of being able to specify two files, one
for usernames (that I can type up, or perhaps dump out of getacct.exe or
enum.exe) and one to point at whatever huge dictionary file I've got to
hand, rather than a single file full of pairs. I can't see my dictionary
files changing that often, but I can see the list of users changing a lot
Rob! You raise questions (not reproduced here) that will take some
serious pondering and should indeed be pondered and discussed....
I think you agree that having the ability to check for some default and
and a selection of weak passwords against a MySQL service is a good
thing and that there should be safeguards against doing stuff the user
doesn't necessarily want to do.
It sounds to me like we're kind of steering away from coding this
functionality in a script, but to provide it (in the future) as a
library to avoid redundancy of code right across the board and allow
it's use for any service. If that's possible, I reckon it's a winner of
Going for a ponder.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
Re: [NSE Script] MySQL Server Information sawall (Dec 18)