1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
local mysql = require "mysql"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Dumps the password hashes from an MySQL server in a format suitable for
cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required.
The <code>username</code> and <code>password</code> arguments take precedence
over credentials discovered by the mysql-brute and mysql-empty-password
scripts.
]]
---
-- @usage
-- nmap -p 3306 <ip> --script mysql-dump-hashes --script-args='username=root,password=secret'
--
-- @output
-- PORT STATE SERVICE
-- 3306/tcp open mysql
-- | mysql-dump-hashes:
-- | root:*9B500343BC52E2911172EB52AE5CF4847604C6E5
-- | debian-sys-maint:*92357EE43977D9228AC9C0D60BB4B4479BD7A337
-- |_ toor:*14E65567ABDB5135D0CFD9A70B3032C179A49EE7
--
-- @args username the username to use to connect to the server
-- @args password the password to use to connect to the server
--
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"auth", "discovery", "safe"}
dependencies = {"mysql-empty-password", "mysql-brute"}
portrule = shortport.port_or_service(3306, "mysql")
local arg_username = stdnse.get_script_args(SCRIPT_NAME .. ".username")
local arg_password = stdnse.get_script_args(SCRIPT_NAME .. ".password") or ""
local function fail(err) return stdnse.format_output(false, err) end
local function getCredentials()
-- first, let's see if the script has any credentials as arguments?
if ( arg_username ) then
return { [arg_username] = arg_password }
-- next, let's see if mysql-brute or mysql-empty-password brought us anything
elseif nmap.registry.mysqlusers then
-- do we have root credentials?
if nmap.registry.mysqlusers['root'] then
return { ['root'] = nmap.registry.mysqlusers['root'] }
else
-- we didn't have root, so let's make sure we loop over them all
return nmap.registry.mysqlusers
end
-- last, no dice, we don't have any credentials at all
end
end
local function mysqlLogin(socket, username, password)
local status, response = mysql.receiveGreeting( socket )
if ( not(status) ) then
return response
end
return mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
end
action = function(host, port)
local creds = getCredentials()
if ( not(creds) ) then
stdnse.debug2("No credentials were supplied, aborting ...")
return
end
local result = {}
for username, password in pairs(creds) do
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to server")
end
local status, response = mysqlLogin(socket, username, password)
if ( status ) then
local query = "SELECT DISTINCT CONCAT(user, ':', password) FROM mysql.user WHERE password <> ''"
local status, rows = mysql.sqlQuery( socket, query )
socket:close()
if ( status ) then
result = mysql.formatResultset(rows, { noheaders = true })
break
end
else
socket:close()
end
end
if ( result ) then
return stdnse.format_output(true, result)
end
end
|
