Nmap Development: Re: [NSE] mysql-enum user enumeration script

[Aleksandar Nikolic <nikolic.alek () gmail com>]

Hi Patrik,

thanks for comments, I added a check for that "hostname is blocked" case.
Now the script will bail out as soon as it gets that error. I just can't
say I'm
sure when is this error triggered, I can't get consistent results.
Wonder if some sort of rate limiting would prevent it ?

Also, I've fixed the indentation issues.

,
Aleksandar

On 12/8/2012 6:57 PM, Patrik Karlsson wrote:
> Alexandar,
>
> I tried this script and didn't get it to show any users even though
> they existed.
> I tracked the problem down to the server returning the following message;
> "hostname is blocked because of many connection errors; unblock with
> 'mysqladmin flush-hosts'"
>
> I think the script needs to handle this error message and report back
> to avoid false negatives.
> There were also some indentation cleanup that needed to be done.
>
> Thanks,
> Patrik
>
>
> On Sat, Dec 8, 2012 at 10:20 AM, Aleksandar Nikolic
> <nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>> wrote:
>
>     Resending this as i didn't get any comments , and I guess it might
>     not have got attention due to list changing ...
>
>
>     -------- Original Message --------
>     Subject:        [NSE] mysql-enum user enumeration script
>     Date:   Mon, 03 Dec 2012 21:38:59 +0100
>     From:   Aleksandar Nikolic <nikolic.alek () gmail com
>     <mailto:nikolic.alek () gmail com>>
>     To:     nmap-dev () insecure org <mailto:nmap-dev () insecure org>
>
>
>
>     Hi all ,
>
>     been a long time since I contributed something :)
>
>     As you might have noticed, kingcope released quite a number of mysql
>     vulns over the
>     weekend, one of them being an user enumeration vulnerability which
>     sounded
>     like a perfect candidate for a NSE script (original release :
>     http://seclists.org/fulldisclosure/2012/Dec/9 ).
>     So here is my rough draft for it.
>
>     The vuln lies in the fact that MySQL server, when it gets connection
>     from a client using old authentication
>     mechanism, responds in different ways when user does and does not
>     exist.
>     Basically , when
>     user does not exist, the server replies with "Access denied for
>     user..."
>     immediately, else it waits for a
>     password.
>
>     I might be a little rusty with Lua and nmap dev , so do point out your
>     ideas
>     and suggestions for improvements.
>
>     Aleksandar
>
>
>
>
>
>     _______________________________________________
>     Sent through the dev mailing list
>     http://nmap.org/mailman/listinfo/dev
>     Archived at http://seclists.org/nmap-dev/
>
>
>
>
> -- 
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77

Attachment: mysql-enum.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/