Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] mysql-enum user enumeration script
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Tue, 11 Dec 2012 11:56:29 +0100

Hi Patrik,

thanks for comments, I added a check for that "hostname is blocked" case.
Now the script will bail out as soon as it gets that error. I just can't
say I'm
sure when is this error triggered, I can't get consistent results.
Wonder if some sort of rate limiting would prevent it ?

Also, I've fixed the indentation issues.


On 12/8/2012 6:57 PM, Patrik Karlsson wrote:

I tried this script and didn't get it to show any users even though
they existed.
I tracked the problem down to the server returning the following message;
"hostname is blocked because of many connection errors; unblock with
'mysqladmin flush-hosts'"

I think the script needs to handle this error message and report back
to avoid false negatives.
There were also some indentation cleanup that needed to be done.


On Sat, Dec 8, 2012 at 10:20 AM, Aleksandar Nikolic
<nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>> wrote:

    Resending this as i didn't get any comments , and I guess it might
    not have got attention due to list changing ...

    -------- Original Message --------
    Subject:        [NSE] mysql-enum user enumeration script
    Date:   Mon, 03 Dec 2012 21:38:59 +0100
    From:   Aleksandar Nikolic <nikolic.alek () gmail com
    <mailto:nikolic.alek () gmail com>>
    To:     nmap-dev () insecure org <mailto:nmap-dev () insecure org>

    Hi all ,

    been a long time since I contributed something :)

    As you might have noticed, kingcope released quite a number of mysql
    vulns over the
    weekend, one of them being an user enumeration vulnerability which
    like a perfect candidate for a NSE script (original release :
    http://seclists.org/fulldisclosure/2012/Dec/9 ).
    So here is my rough draft for it.

    The vuln lies in the fact that MySQL server, when it gets connection
    from a client using old authentication
    mechanism, responds in different ways when user does and does not
    Basically , when
    user does not exist, the server replies with "Access denied for
    immediately, else it waits for a

    I might be a little rusty with Lua and nmap dev , so do point out your
    and suggestions for improvements.


    Sent through the dev mailing list
    Archived at http://seclists.org/nmap-dev/

Patrik Karlsson

Attachment: mysql-enum.nse

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]