Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE Script] MySQL Server Information
From: jah <jah () zadkiel plus com>
Date: Wed, 19 Dec 2007 02:58:41 +0000

On 19/12/2007 01:53, Rob Nicholls wrote:
I can definitely see the benefit of Chris' suggestion and Thomas' improved
script for checking a handful of passwords for default accounts (a lot
easier than firing up another program just to check that "sa" isn't set to
"password" or left blank), and it might be worth checking default usernames
and passwords on other well known services too (Scott:Tiger, cisco:cisco,
admin:password etc.); I think Chris' original comment about checking for
weak passwords threw me as it wasn't clear at the time just how limited the
check for weak passwords would be.
I'd probably like an additional option of being able to specify two files, one
for usernames (that I can type up, or perhaps dump out of getacct.exe or
enum.exe) and one to point at whatever huge dictionary file I've got to
hand, rather than a single file full of pairs. I can't see my dictionary
files changing that often, but I can see the list of users changing a lot 
Rob!  You raise questions (not reproduced here) that will take some 
serious pondering and should indeed be pondered and discussed....
I think you agree that having the ability to check for some default and 
and a selection of weak passwords against a MySQL service is a good 
thing and that there should be safeguards against doing stuff the user 
doesn't necessarily want to do.
It sounds to me like we're kind of steering away from coding this 
functionality in a script, but to provide it (in the future) as a 
library to avoid redundancy of code right across the board and allow 
it's use for any service.  If that's possible, I reckon it's a winner of 
an idea.

Going for a ponder.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]