Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] mysql-enum user enumeration script
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Mon, 17 Dec 2012 17:04:41 +0100

Just commited this as r30420.

Sorry for a big merge from trunk into aca/nmap,
my branch was outdated.

Aleksandar

On 12/16/2012 5:54 PM, Patrik Karlsson wrote:
I just re-tested it and it works well for me, so I would commit it to
main.
There was an unrelated bug in the brute library, where it silently
failed if the userdb did not exist.
I committed a fix that should address this as r30417.

Thanks,
//Patrik


On Sun, Dec 16, 2012 at 5:16 AM, Aleksandar Nikolic
<nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>> wrote:

    Um, should I commit this to main ?
    It's still only in my dev branch

    On 12/11/2012 11:56 AM, Aleksandar Nikolic wrote:
    > Hi Patrik,
    >
    > thanks for comments, I added a check for that "hostname is
    blocked" case.
    > Now the script will bail out as soon as it gets that error. I just
    > can't say I'm
    > sure when is this error triggered, I can't get consistent results.
    > Wonder if some sort of rate limiting would prevent it ?
    >
    > Also, I've fixed the indentation issues.
    >
    > ,
    > Aleksandar
    >
    > On 12/8/2012 6:57 PM, Patrik Karlsson wrote:
    >> Alexandar,
    >>
    >> I tried this script and didn't get it to show any users even though
    >> they existed.
    >> I tracked the problem down to the server returning the
    following message;
    >> "hostname is blocked because of many connection errors; unblock
    with
    >> 'mysqladmin flush-hosts'"
    >>
    >> I think the script needs to handle this error message and
    report back
    >> to avoid false negatives.
    >> There were also some indentation cleanup that needed to be done.
    >>
    >> Thanks,
    >> Patrik
    >>
    >>
    >> On Sat, Dec 8, 2012 at 10:20 AM, Aleksandar Nikolic
    >> <nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>
    <mailto:nikolic.alek () gmail com <mailto:nikolic.alek () gmail com>>>
    wrote:
    >>
    >>     Resending this as i didn't get any comments , and I guess
    it might
    >>     not have got attention due to list changing ...
    >>
    >>
    >>     -------- Original Message --------
    >>     Subject:        [NSE] mysql-enum user enumeration script
    >>     Date:   Mon, 03 Dec 2012 21:38:59 +0100
    >>     From:   Aleksandar Nikolic <nikolic.alek () gmail com
    <mailto:nikolic.alek () gmail com>
    >>     <mailto:nikolic.alek () gmail com
    <mailto:nikolic.alek () gmail com>>>
    >>     To:     nmap-dev () insecure org
    <mailto:nmap-dev () insecure org> <mailto:nmap-dev () insecure org
    <mailto:nmap-dev () insecure org>>
    >>
    >>
    >>
    >>     Hi all ,
    >>
    >>     been a long time since I contributed something :)
    >>
    >>     As you might have noticed, kingcope released quite a number
    of mysql
    >>     vulns over the
    >>     weekend, one of them being an user enumeration vulnerability
    >>     which sounded
    >>     like a perfect candidate for a NSE script (original release :
    >>     http://seclists.org/fulldisclosure/2012/Dec/9 ).
    >>     So here is my rough draft for it.
    >>
    >>     The vuln lies in the fact that MySQL server, when it gets
    connection
    >>     from a client using old authentication
    >>     mechanism, responds in different ways when user does and
    does not
    >>     exist.
    >>     Basically , when
    >>     user does not exist, the server replies with "Access denied for
    >>     user..."
    >>     immediately, else it waits for a
    >>     password.
    >>
    >>     I might be a little rusty with Lua and nmap dev , so do
    point out
    >>     your
    >>     ideas
    >>     and suggestions for improvements.
    >>
    >>     Aleksandar
    >>
    >>
    >>
    >>
    >>
    >>     _______________________________________________
    >>     Sent through the dev mailing list
    >>     http://nmap.org/mailman/listinfo/dev
    >>     Archived at http://seclists.org/nmap-dev/
    >>
    >>
    >>
    >>
    >> --
    >> Patrik Karlsson
    >> http://www.cqure.net
    >> http://twitter.com/nevdull77
    >>
    >>
    >

    _______________________________________________
    Sent through the dev mailing list
    http://nmap.org/mailman/listinfo/dev
    Archived at http://seclists.org/nmap-dev/




-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77



_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault