Re: MySQL scripts

[Patrik Karlsson <patrik () cqure net>]

On 23 jan 2010, at 23.20, Ron wrote:

> On Sat, 23 Jan 2010 23:08:34 +0100
> > I've added support for the anonymous account to mysql-empty-passwords. If a user with an empty name exists in MySQL 
> > you can authenticate anonymously. This basically means that you can authenticate using any username you want, given 
> > it's not the name of another user. Running the mysql-brute against a server with the anonymous account enabled will 
> > look as if all the guessed users will have access, which they sort of do.
>
> I ran into the same issue with smb-brute.nse when the Guest account is enabled. I ended up putting a couple checks at 
> the top that would use random usernames and fail saying "Random username accepted, can't enumerate" if it worked. 

In MySQL you need to supply an empty password in order to authenticate anonymously. If you supply a password 
authentication will fail. If a user that does exist (has a mysql account) is tested it won't accept anonymous 
authentication and won't show up as successful until it finds the correct password. 

So, worst case you end up with a very long list of users having a blank password. In this list you have both users that 
have been authenticated anonymously and privileged users with blank passwords. There is no easy way of telling them 
apart.

//Patrik


> -- 
> Ron Bowes
> http://www.skullsecurity.org
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

--
Patrik Karlsson
http://www.cqure.net




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/