mirror of
https://github.com/nmap/nmap.git
synced 2025-12-06 04:31:29 +00:00
f0c5e154c3
o Add two new Script scan phases: Script Pre-scanning phase: before any Nmap scan operation, activated by the new "prerule". Script Post-scanning phase: after all Nmap scan operations, activated by the new "postrule". o New environment variables: SCRIPT_PATH SCRIPT_NAME SCRIPT_TYPE: the type of the rule that activated the script.
85 lines
2.3 KiB
Lua
85 lines
2.3 KiB
Lua
description = [[
|
|
Performs password guessing against MySQL
|
|
]]
|
|
|
|
---
|
|
-- @output
|
|
-- 3306/tcp open mysql
|
|
-- | mysql-brute:
|
|
-- | root:<empty> => Login Correct
|
|
-- |_ test:test => Login Correct
|
|
|
|
author = "Patrik Karlsson"
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
categories = {"intrusive", "auth"}
|
|
|
|
require 'shortport'
|
|
require 'stdnse'
|
|
require 'mysql'
|
|
require 'unpwdb'
|
|
|
|
-- Version 0.3
|
|
-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
|
|
-- Revised 01/23/2010 - v0.2 - revised by Patrik Karlsson, changed username, password loop, added credential storage for other mysql scripts, added timelimit
|
|
-- Revised 01/23/2010 - v0.3 - revised by Patrik Karlsson, fixed bug showing account passwords detected twice
|
|
|
|
-- ripped from ssh-hostkey.nse
|
|
-- openssl is required for this script
|
|
if not pcall(require,"openssl") then
|
|
portrule = function() return false end
|
|
action = function() end
|
|
stdnse.print_debug( 3, "Skipping %s script because OpenSSL is missing.",
|
|
SCRIPT_NAME)
|
|
return;
|
|
end
|
|
|
|
portrule = shortport.port_or_service(3306, "mysql")
|
|
|
|
action = function( host, port )
|
|
|
|
local socket = nmap.new_socket()
|
|
local catch = function() socket:close() end
|
|
local try = nmap.new_try(catch)
|
|
local result, response, status = {}, nil, nil
|
|
local valid_accounts = {}
|
|
local usernames, passwords
|
|
local username, password
|
|
|
|
-- set a reasonable timeout value
|
|
socket:set_timeout(5000)
|
|
|
|
usernames = try(unpwdb.usernames())
|
|
passwords = try(unpwdb.passwords())
|
|
|
|
for username in usernames do
|
|
for password in passwords do
|
|
|
|
try( socket:connect(host.ip, port.number, "tcp") )
|
|
response = try( mysql.receiveGreeting( socket ) )
|
|
|
|
stdnse.print_debug( "Trying %s/%s ...", username, password )
|
|
|
|
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
|
|
socket:close()
|
|
|
|
if status then
|
|
-- Add credentials for other mysql scripts to use
|
|
if nmap.registry.mysqlusers == nil then
|
|
nmap.registry.mysqlusers = {}
|
|
end
|
|
nmap.registry.mysqlusers[username]=password
|
|
|
|
table.insert( valid_accounts, string.format("%s:%s => Login Correct", username, password:len()>0 and password or "<empty>" ) )
|
|
break
|
|
end
|
|
|
|
end
|
|
passwords("reset")
|
|
end
|
|
|
|
local output = stdnse.format_output(true, valid_accounts)
|
|
|
|
return output
|
|
|
|
end
|