Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] mysql-enum user enumeration script
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 16 Dec 2012 11:54:22 -0500

I just re-tested it and it works well for me, so I would commit it to main.
There was an unrelated bug in the brute library, where it silently failed
if the userdb did not exist.
I committed a fix that should address this as r30417.

Thanks,
//Patrik


On Sun, Dec 16, 2012 at 5:16 AM, Aleksandar Nikolic
<nikolic.alek () gmail com>wrote:

Um, should I commit this to main ?
It's still only in my dev branch

On 12/11/2012 11:56 AM, Aleksandar Nikolic wrote:
Hi Patrik,

thanks for comments, I added a check for that "hostname is blocked" case.
Now the script will bail out as soon as it gets that error. I just
can't say I'm
sure when is this error triggered, I can't get consistent results.
Wonder if some sort of rate limiting would prevent it ?

Also, I've fixed the indentation issues.

,
Aleksandar

On 12/8/2012 6:57 PM, Patrik Karlsson wrote:
Alexandar,

I tried this script and didn't get it to show any users even though
they existed.
I tracked the problem down to the server returning the following
message;
"hostname is blocked because of many connection errors; unblock with
'mysqladmin flush-hosts'"

I think the script needs to handle this error message and report back
to avoid false negatives.
There were also some indentation cleanup that needed to be done.

Thanks,
Patrik


On Sat, Dec 8, 2012 at 10:20 AM, Aleksandar Nikolic
<nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>> wrote:

    Resending this as i didn't get any comments , and I guess it might
    not have got attention due to list changing ...


    -------- Original Message --------
    Subject:        [NSE] mysql-enum user enumeration script
    Date:   Mon, 03 Dec 2012 21:38:59 +0100
    From:   Aleksandar Nikolic <nikolic.alek () gmail com
    <mailto:nikolic.alek () gmail com>>
    To:     nmap-dev () insecure org <mailto:nmap-dev () insecure org>



    Hi all ,

    been a long time since I contributed something :)

    As you might have noticed, kingcope released quite a number of mysql
    vulns over the
    weekend, one of them being an user enumeration vulnerability
    which sounded
    like a perfect candidate for a NSE script (original release :
    http://seclists.org/fulldisclosure/2012/Dec/9 ).
    So here is my rough draft for it.

    The vuln lies in the fact that MySQL server, when it gets connection
    from a client using old authentication
    mechanism, responds in different ways when user does and does not
    exist.
    Basically , when
    user does not exist, the server replies with "Access denied for
    user..."
    immediately, else it waits for a
    password.

    I might be a little rusty with Lua and nmap dev , so do point out
    your
    ideas
    and suggestions for improvements.

    Aleksandar





    _______________________________________________
    Sent through the dev mailing list
    http://nmap.org/mailman/listinfo/dev
    Archived at http://seclists.org/nmap-dev/




--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77




_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/




-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]