Skip to content

21. Nmap MySQL Enumeration

MySQL is a widely used database management system that often operates on port 3306. The following Nmap commands leverage NSE scripts to gather information, enumerate database details, check for misconfigurations, and test credentials.

1. MySQL Service Information

Command:

nmap -p 3306 --script mysql-info 192.168.1.1

Explanation:

  • -p 3306:
    • Scans port 3306, the default port for MySQL.
  • --script mysql-info:
    • Executes the mysql-info script, which gathers basic information about the MySQL service.

Purpose:

  • Provides metadata about the MySQL server, including version details, supported features, and capabilities.

Example Output:

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-info:
|   Protocol: 10
|   Version: 8.0.32
|   Thread ID: 3
|   Capabilities: Connect with SSL, Transactions, Secure Auth
|_  Status: Auth required

Insights:

  • Protocol and Version: Useful for identifying vulnerabilities specific to the MySQL version.
  • Capabilities: Shows the features enabled on the server (e.g., SSL support, secure authentication).

2. MySQL Enumeration

Command:

nmap -p 3306 --script mysql-enum 192.168.1.1

Explanation:

  • --script mysql-enum:
    • Executes the mysql-enum script, which attempts to enumerate databases, users, and privileges (if authentication details are not required).

Purpose:

  • Gathers database-related information, including user accounts and privileges (if accessible).

Example Output:

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-enum:
|   Users: root, admin, guest
|   Databases: information_schema, test_db
|_  Privileges: root=ALL PRIVILEGES, admin=SELECT

Insights:

  • Users: Identifies potential usernames for further testing.
  • Databases: Lists databases hosted on the server.
  • Privileges: Reveals misconfigurations or overly permissive user rights.

3. MySQL Empty Password Check

Command:

nmap -p 3306 --script mysql-empty-password 192.168.1.1

Explanation:

  • --script mysql-empty-password:
    • Executes the mysql-empty-password script, which checks if the MySQL server allows login with an empty password.

Purpose:

  • Detects weak authentication configurations where accounts can log in without a password.

Example Output:

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-empty-password:
|_  Account 'root'@'localhost' has an empty password

Insights:

  • Weak Credentials: Highlights serious misconfigurations that allow unauthorized access.

4. MySQL Brute-Forcing

Command:

nmap -p 3306 --script mysql-brute --script-args mysql-brute.thread=100 192.168.1.1

Explanation:

  • --script mysql-brute:
    • Executes the mysql-brute script, which attempts to brute-force MySQL user credentials.
  • --script-args mysql-brute.thread=100:
    • Sets the number of concurrent threads to 100 for faster brute-forcing attempts.

Purpose:

  • Tests the strength of MySQL account passwords by attempting logins with a pre-defined username/password list.

Example Output:

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute:
|_  Credentials found: root:admin123

Insights:

  • Discovered Credentials: Identifies weak or default passwords that can compromise the server.
  • Performance: Adjusting thread count speeds up brute-forcing but may overwhelm the server.

Comparison of Scripts

Script Purpose Output
mysql-info Provides basic MySQL server information. Protocol, version, capabilities, and status.
mysql-enum Enumerates databases, users, and rights. Usernames, database names, and user privileges.
mysql-empty-password Checks for accounts with no passwords. Lists accounts with empty passwords.
mysql-brute Attempts to brute-force MySQL accounts. Credentials discovered (if successful).

Actionable Insights:

  1. Information Gathering:

    • Use mysql-info to identify the server's version and features.
    • Use mysql-enum to enumerate accessible users and databases.

    • Weak Credential Detection:

    • Use mysql-empty-password to find accounts with no passwords.

    • Use mysql-brute to test for weak or default credentials.

    • Next Steps:

    • If weak credentials are found, log in to assess the database (only if authorized).

    • If a vulnerable version is detected, search for relevant exploits (e.g., CVEs).

    • Ethical Considerations:

    • Always obtain permission before performing these scans.

    • Avoid brute-forcing or exploiting servers without explicit authorization.

Use Case:

These scripts are essential for penetration testers and security analysts to identify potential vulnerabilities in MySQL servers during security assessments.