[RFC] New NSE script for MySQL database servers

["Thomas Buchanan" <TBuchanan () thecompassgrp net>]

Hello,

After Kris posted his MySQL server information script last month [1], I
mentioned that I had also been working on a MySQL script.  However, I
felt like the focus of mine was a little different, so as I found time,
I kept working on it.  I've gotten it to a point where I'm not
completely ashamed to let other people look at it, so I'm posting it to
try and get some feedback.

The reason I say my script has a different focus is that Kris's script
extracts information available without logging into the MySQL service,
while mine focuses almost entirely on information that is gathered using
an established connection.  This can an anonymous connection (no
username or password), or an authenticated connection (username with or
without password), depending on how the server is configured.  The
script contains a list of common usernames and simple passwords that it
cycles through to try and establish a valid connection.  If it succeeds,
it extracts the list of databases present on the server (or at least the
list of databases visible to the user that it successfully authenticated
as).  It also uses some 'SHOW STATUS' commands [2] to extract
information such as service uptime, bytes transferred, connection
attempts, etc.

Here's an example of the output:

$ NMAPDIR=. ./nmap -sSV -p 3306 --script=MySQLdb.nse 192.168.60.131

Starting Nmap 4.52 ( http://insecure.org ) at 2008-01-11 16:20 Central
Standard Time
Interesting ports on 192.168.60.131:
PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 5.0.45
|  MySQL:  Able to login to MySQL server with username root and password
"root".
|    The following database(s) were detected:
|     information_schema, mysql, test
|    Server status variables:
|     Server uptime: 8 minutes, 16 seconds.
|     Statements processed: 3 (0.01 per second)
|     Connections: 2 successful, 22 unsuccessful.
|     Open files: 12           Open tables: 6
|_    Bytes received: 1561    Bytes send: 3855

As you can see, the security on this database system needs to be
reviewed :)

The ability to login with username and password relies on the NSE /
OpenSSL patches that I posted to the list a couple of months ago [3].
The script can only login to databases systems which support the 'newer'
MySQL authentication scheme, introduced in MySQL 4.1.  I won't say that
I'll never look into supporting the older scheme at some point, but I
have to admit that for now I don't see much value in it.

I'm not suggesting that this script be considered for inclusion in the
nmap source tree at this point.  For one thing, it relies on some code
that hasn't been included in nmap to this point.  For another, the
script isn't sufficiently intelligent about certain things.  It doesn't
make a genuine effort to tell if the server supports the new password
scheme (it just assumes that any server newer than 4.1 does).  It
doesn't recognize when a server sends 'Unauthorized' messages back in
response to specific username and/or hostname combinations.  It can
generate a lot of duplicate information if the server allows anonymous
connections.  But I felt like it was time to start getting other eyes on
the script, and to show that my OpenSSL library for NSE did have some
practical value.  :)

At this point, it's probably only feasible to test this script on *NIX
based systems, due to the difficulty in building nmap on Windows with
the necessary OpenSSL libraries.  I was able to successfully compile
both OpenSSL support and my NSE OpenSSL library on Windows, but it's not
a very straight-forward process.

I'd be interested to hear opinions on whether this script (if it is
eventually considered for inclusion) should stay separate from Kris's,
or whether an effort should be made to combine the two.

Your comments and questions are much appreciated.

Thanks,

Thomas

[1] http://seclists.org/nmap-dev/2007/q4/0677.html
[2] http://dev.mysql.com/doc/refman/5.0/en/server-status-variables.html
[3] http://seclists.org/nmap-dev/2007/q4/0472.html

Attachment: MySQLdb.nse
Description: MySQLdb.nse

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org