[NSE Script] MySQL Server Information

[Kris Katterjohn <katterjohn () gmail com>]

Hey nmap-dev!

I've attached a new NSE script which connects to a MySQL server and 
prints information obtained from the greeting, such as the protocol and 
version numbers, thread id, capabilities, status, and password salt 
(handles both 8 and 20 byte salts).

I've put it in the "discovery" and "safe" categories.

Here's an example:

PORT     STATE SERVICE REASON
3306/tcp open  mysql   syn-ack
|  MySQL Server Information: Protocol: 10
|  Version: 5.0.45-Debian_1ubuntu3-log
|  Thread ID: 32
|  Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, 
SSL, Transactions, Secure Connection
|  Status: Autocommit
|_ Salt: (8"?VqV>o5YC"{i}X}0r


Please let me know what you think!

Thanks,
Kris Katterjohn

-- Connect to MySQL server and print information such as the protocol and
-- version numbers, thread id, status, capabilities and the password salt

id = "MySQL Server Information"

description = "Connects to a MySQL server and prints information"

author = "Kris Katterjohn <katterjohn () gmail com>"

license = "Look at Nmap's COPYING"

categories = { "discovery", "safe" }

require 'shortport'
require 'bit'

-- Grabs NUL-terminated string
local getstring = function(orig)
        local str = ""
        local index = 1

        while orig:byte(index) ~= 0 do
                str = str .. string.char(orig:byte(index))

                index = index + 1
        end

        return str
end

-- Convert two bytes into a number
ntohs = function(num)
        local b1 = bit.band(num:byte(1), 255)
        local b2 = bit.band(num:byte(2), 255)

        return bit.bor(b1, bit.lshift(b2, 8))
end

-- Convert three bytes into a number
ntoh3 = function(num)
        local b1 = bit.band(num:byte(1), 255)
        local b2 = bit.band(num:byte(2), 255)
        local b3 = bit.band(num:byte(3), 255)

        return bit.bor(b1, bit.lshift(b2, 8), bit.lshift(b3, 16))
end

-- Convert four bytes into a number
ntohl = function(num)
        local b1 = bit.band(num:byte(1), 255)
        local b2 = bit.band(num:byte(2), 255)
        local b3 = bit.band(num:byte(3), 255)
        local b4 = bit.band(num:byte(4), 255)

        return bit.bor(b1, bit.lshift(b2, 8), bit.lshift(b3, 16), bit.lshift(b4, 24))
end

-- Convert number to a list of capabilities for printing
capabilities = function(num)
        local caps = ""

        if bit.bor(num, 1) then
                caps = caps .. "Long Passwords, "
        end

        if bit.bor(num, 8) then
                caps = caps .. "Connect with DB, "
        end

        if bit.bor(num, 32) then
                caps = caps .. "Compress, "
        end

        if bit.bor(num, 64) then
                caps = caps .. "ODBC, "
        end

        if bit.bor(num, 2048) then
                caps = caps .. "SSL, "
        end

        if bit.bor(num, 8192) then
                caps = caps .. "Transactions, "
        end

        if bit.bor(num, 32768) then
                caps = caps .. "Secure Connection, "
        end

        return caps:gsub(", $", "")
end

portrule = shortport.port_or_service(3306, "mysql")

action = function(host, port)
        local sock
        local response = ""
        local output = ""

        sock = nmap.new_socket()

        sock:set_timeout(5000)

        sock:connect(host.ip, port.number)

        while true do
                local status, line = sock:receive_lines(1)

                if not status then
                        break
                end

                response = response .. line
        end

        sock:close()

        local length = ntoh3(response:sub(1, 3))

        if length ~= response:len() - 4 then
                return "Invalid greeting (Not MySQL?)"
        end

        -- Keeps track of where we are in the binary data
        local offset = 1 + 4

        local protocol = response:byte(offset)

        offset = offset + 1

        local version = getstring(response:sub(offset))

        offset = offset + version:len() + 1

        local threadid = ntohl(response:sub(offset, offset + 4))

        offset = offset + 4

        local salt = getstring(response:sub(offset))

        offset = offset + salt:len() + 1

        local caps = capabilities(ntohs(response:sub(offset, offset + 2)))

        offset = offset + 2

        offset = offset + 1

        local status = ""

        if ntohs(response:sub(offset, offset + 2)) == 2 then
                status = "Autocommit"
        end

        offset = offset + 2

        offset = offset + 13 -- unused

        if response:len() - offset + 1 == 13 then
                salt = salt .. getstring(response:sub(offset))
        end

        output = output .. "Protocol: " .. protocol .. "\n"
        output = output .. "Version: " .. version .. "\n"
        output = output .. "Thread ID: " .. threadid .. "\n"

        if caps:len() > 0 then
                output = output .. "Some Capabilities: " .. caps .. "\n"
        end

        if status:len() > 0 then
                output = output .. "Status: " .. status .. "\n"
        end

        output = output .. "Salt: " .. salt .. "\n"

        return output
end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org